2018-08-06
美国国家安全机构的防御者如何在捕获标识演习中使用虚假数据来挫败攻击者并遏制伤害。
我们生活在攻击向量不断增加的世界中。黑客们使用越来越粗暴的方法攻破边界防御,包括窃取的凭证和后门、网络钓鱼、间谍软件和恶意软件,暴力破解等等。一旦攻击者成功地攻破了网络,他们通常会有足够的时间造成重大损害。根据威瑞森《2016年数据泄露调查报告》,只有25%的感染持续“几天或更少的时间”,火眼公司2017年M-Trends报告显示,尽管检测方法持续改进,发现网络攻击的平均时间仍然长达99天,其中,47%的感染是由外部来源(如联邦调查局)通知受害者的。
没有一个解决方案能够阻止所有形式的攻击,同时遏制攻击导致的损害。就像一个由陆军、海军和空军组成的军队一样,每个军种都有多种武器和人员,网络安全防御系统必须能够预见所有可能的威胁向量,并开发多种机制来对抗它们。
人们对欺骗方法(最新的网络安全方法之一)的认识正在增加。Gartner称之为“威胁欺骗”,并预测10%的企业将在2018年之前采用某种形式的网络欺骗手段。欺骗依赖于攻击者的一个漏洞:攻击者认为他们在网络上找到的信息是真实的,他们收集的数据是可靠的。欺骗策略利用了这种漏洞,在企业端点、网络、数据和应用程序中放置看似真实的虚假信息。当边界防御失败后,攻击者就无法区分真实数据和欺骗数据了。
高级攻击者如何接近网络呢?首先,与电影中的形象不同,黑客使用各种工具和技术,缓慢而有条理地收集数据、分析数据,并在整个网络中横向运动。最初,当访问网络时,他们会有一点困惑。他们不知道到了哪里,也不知道目标在哪里。通过反复尝试,他们构建了网络环境的映射:网络本身以及它的使用方式。例如,他们可能会从一个员工的电脑中发现SharePoint服务器的线索,由此找到有关的文件和名称,这有助于他们确定下一步的行动。攻击者越高级,其横向运动方法就越复杂;横向运动越多,映射就越详细。这种迭代过程使他们最终能够找到并感染目标。
当攻击者在网络中运动时,捕获他们的一种常见策略是蜜罐。蜜罐看起来像PC或服务器,其理念是,当攻击者访问蜜罐时,蜜罐会发出告警,提醒IT人员发生了攻击。蜜罐的问题是它们的部署和管理很费时,所以使用相对较少,这意味着当攻击者访问蜜罐时可能已经发生了重大感染事件。更糟糕的是,经验丰富的黑客很容易识别蜜罐。
威胁欺骗采取不同的方法。红军演习的过程能够很好地阐释欺骗技术,以及欺骗技术的有效性。美国国防部门设立了一项“捕获标识”演习,以测试欺骗战略的有效性。一个团队作为攻击者,他们执行多次攻击以捕获和检索被防御团队保护的目标。攻击团队不知道对方部署了欺骗战略。然后,防御团队在端点、服务器和攻击面上引入了各种虚假数据。欺骗类型包括“分享欺骗”(诱骗攻击者访问假的共享文件夹和文件),“Windows凭证欺骗”(使用不存在的用户凭证诱骗攻击者)和“文件欺骗”(诱骗攻击者访问和使用存储在假文件中的凭证)。这些欺骗手段是精心制定的,以确保在攻击者看来是真实的。
为了部署欺骗策略,防御团队使用了两个组件:一个用来传播欺骗信息的服务器和一个陷阱服务器。作为低成本的无代理解决方案,欺骗策略对网络服务和性能几乎没有影响,并且具有高度可扩展性。这些欺骗策略部署在整个企业的现有工作站、笔记本电脑和服务器上,不需要特殊的硬件。此外,网络的合法用户从不会访问这些欺骗信息,所以他们的工作不受影响。这也大大减少了误报数量。
当攻击团队发动攻击时,他们会立即发现欺骗信息,这些信息正是他们在网络中横向运动所需要的。访问这些欺骗信息会触发陷阱服务器,它会提醒防御团队发生了攻击。陷阱服务器就像一个真正的服务器;当攻击者遇到它时,就会像平常一样筛选它包含的信息,但是在这种情况下,数据是假的。陷阱服务器还对攻击源进行实时取证,帮助防御团队确定攻击者的目标,并提供可操作的证据和制品来帮助他们遏制攻击。在真正的攻击中,取证分析对执法机构来说是非常有价值的。
同样,一家面临越来越多的金融威胁的大型国际银行也部署了欺骗策略来补充现有的网络安全工具,并增加一种新的、更直接的威胁检测能力。该银行采用与美国国防部门类似的方法,为共享文件夹、服务器、Windows凭证、SWIFT和其它网络系统部署了一系列欺骗方案。随着欺骗解决方案到位,银行实现了接近即时检测的目标,误报率很低。当告警被触发时,安全团队能够观察攻击者在网络中的横向运动,收集取证数据,并监控攻击行动。这使得防御团队更具战略性,在造成损害之前终止攻击。
网络犯罪分子将会越来越聪明,越来越大胆。为了保护您的网络,您必须不断加强防御措施。欺骗方法是一种强大的、先发制人的、互补的防御解决方案。如果您负责保护网络和数据资产,您应该考虑欺骗策略。
9/12/2017
10:30 AM
How defenders in a US national security agency capture-the-flag exercise used an endless stream of false data across the network to thwart attackers and contain damage.
We live in a reality of continually multiplying attack vectors. Hackers are using increasingly brazen methods to break past perimeter defenses, using stolen credentials and backdoors, phishing, spyware and malware, brute force, and more. Once attackers have successfully breached a network, they typically have plenty of time to do significant damage. According to the Verizon 2016 Breach Investigations Report, only about 25% of compromises were discovered in "days or less," and the 2017 FireEye M-Trends report indicates that despite continuing improvement, the median number of days attackers dwell in victim networks before discovery is still 99 days — over 3 months — with 47% of breach notifications coming from external sources (such as when the FBI comes knocking).
No single solution can possibly prevent all forms of attack while also limiting the damage of a successful attack. Like a military composed of an army, navy, and air force, each with multiple types of weapons and personnel, a cybersecurity defense system must anticipate all possible threat vectors and develop specific and often multiple mechanisms for combating each.
Awareness of deception, one of the latest cyber innovations, is increasing. Gartner calls it "threat deception" and predicts 10% of enterprises will employ some form of cyber deception by 2018. [Editor's note: The author is the CEO of one of a number of vendors that are actively marketing threat detection products.] Deceptions rely on one of the few vulnerabilities attackers have: They believe that what they encounter on the network is real and that the data they collect is reliable. The deceptions strategy leverages this and layers enterprise endpoints, networks, data, and applications with false information that looks real to attackers. When perimeter defenses fail — and they will — attackers can't differentiate between the real data and the deceptions.
Consider how most sophisticated attackers approach a network. First, unlike movie portrayals, these hackers are slow and methodical, using various tools and techniques to collect data, analyze it, and move laterally throughout a network. Initially, when accessing a network, they are at a bit of a loss. They don't know where they have landed or where the target is. Through trial and error, they build a map of the environment — both the network itself and how it is used. For example, from one employee's PC, they may hit a SharePoint server, where they find documents and names of interest, which helps them determine where they should move next. The more sophisticated the attackers, the more tricks they have to move laterally, and the more they move around, the more detailed the map. This iterative process eventually enables them to find and breach their target.
One common strategy used today to catch attackers as they move around the network is honeypots. Honeypots look like PCs or servers, and the idea is that when attackers access a honeypot, an alarm is set off, alerting IT to the attack. The problem with honeypots is that they are time-consuming to deploy and manage, so relatively few are used, which means significant compromise already may have occurred by the time one is accessed. Even worse, they are actually easy for experienced hackers to identify.
Deception
& Capture-the-Flag
Threat deception takes a different approach. Describing the progression of a
red-team exercise demonstrates it best, and also shows the effectiveness of
deception as a technique. A US national defense agency set up a
capture-the-flag exercise to test the effectiveness of a deception strategy.
One team took an offensive role, trying multiple attacks to capture and
retrieve a target being protected by the defensive team. The offensive team did
not know that a deception strategy was being deployed. The defensive team then
introduced an endless stream of different sets of false data across the network
— on endpoints,
servers, and attack surfaces. The types of deceptions included "share
deceptions" that dupe attackers to access fake shared folders and files,
"Windows credentials deceptions" that ensnare attackers with
non-existent user credentials, and "file deceptions" that induce
attackers to access and use credentials stored in fake files. The deceptions
were carefully crafted for the agency to ensure they would seem real to the
attackers.
To deploy the deceptions, the defensive team used two components, a server to distribute the deceptions, and a trap server. As a low-footprint, agentless solution, the deception strategy had almost no impact on network services and performance and was potentially highly scalable. The deceptions were deployed on existing workstations, laptops, and servers throughout the enterprise, requiring no special hardware. Further, legitimate users of the network never accessed the false information, so they were able to continue working unaware and uninterrupted. This also dramatically reduced the number of false positives for the defensive team.
When the offensive team launched its attack, it immediately and unknowingly encountered the deceptions, which appeared identical to what the team needed for moving laterally across the network. Accessing the deceptions triggered the trap server, which alerted the defensive team to the attack. The trap server acts like a real server; when encountering it, the attacker sifted through the information it contained, as an attacker normally would do, but of course in this case the data was false. The trap server also ran real-time forensics on the source of the attack, helping the defensive team to determine the attacker's goals and deliver actionable evidence and artifacts to help them contain the incident. In a real attack, the forensic analysis might also have been very valuable to law enforcement.
Similarly, a large international bank, concerned about the rising number of advanced persistent threats targeting financial services institutions, also deployed a deceptions strategy to complement its other existing cybersecurity tools and to add a new, more immediate threat detection capability. The bank used a similar approach to the US national defense agency, deploying a range of deceptions for shared folders, servers, Windows credentials, SWIFT, and other network systems. With the deception solution in place, the bank achieved its goal of nearly instant detection with a very low rate of false positives. When an alert was triggered, the security team was able to watch the attacker's attempts to move laterally through the network, gather forensic data, and monitor the attack in motion. This enabled the team to be more strategic and stop the attack before it caused damage.
Cybercriminals will continue to get smarter and bolder. To protect your network, you must continue to strengthen your defenses. Deceptions add a powerful, preemptive, complementary defensive solution against advanced attacks. If it's your job to ensure the security of your network and data assets, you should give deceptions a look.
附件:
《Deception - A Convincing New Approach to Cyber Defense》--原文.pdf
《Deception - A Convincing New Approach to Cyber Defense》--译文.pdf
微信公众号