SMBs can DCEPT attackers with free network monitoring tools
Open source honeytoken lures hackers who try to steal admin-level credentials
By Jaikumar Vijayan, ThirdCertainty
Many small and midsize companies cannot afford to purchase state-of-the-art network security technologies used by large enterprises.
Here’s the good news: There are some pretty nifty security tools available for free to SMBs—technology developed and donated for the greater good by top security vendors, as well as by independent researchers.
One recent example is an open source tool called Domain Controller Enticing Password Tripwire, or DCEPT. Joe Stewart and James Bettke, the Dell SecureWorks researchers who developed DCEPT, describe it as a proof-of-concept tripwire-style intrusion detection system for Active Directory environments.
DCEPT is designed to trick attackers into revealing their movements inside a network by using the equivalent of digital bait.
Consider that many of the biggest data compromises in recent times resulted not from the initial break-in itself, but from how attackers were able to use that entry point as a beachhead to then jump on to other systems and network segments and harvest data.
Security researchers describe jumping across the network as lateral movement. It is the phase of an intrusion when an attacker snoops around for opportunity-rich targets to go after inside a compromised network.
Big tool for small companies
DCEPT, which is available for free at the download site GitHub, can be useful in detecting lateral movement, especially for smaller organizations that do not have the skills or the budget to invest in sophisticated network monitoring tools.
DCEPT is designed to stop one of the most commonly used methods by attackers to move laterally within a network. When attackers break into a network, the first thing they often do is look for the Windows Active Directory domain administrator account password on the compromised system, Stewart tells ThirdCertainty.
Administrators often need access to other computers on the network for things like routine maintenance. But when they access and login to a system remotely, Windows caches their domain credentials by default in the system memory, Stewart explains.
This creates a major problem. An attacker on the system can easily recover the domain password using readily available memory scraping tools, he says. Stewart pointed to software called Mimikatz as one example of a credential-stealing tool that attackers often use to scrape domain password tokens from the credential cache and then use it to move across the network at will.
Such memory scraping often can be hard to detect, and so, too, is detecting attackers as they move across the network using stolen administrator credentials. Products capable of detecting anomalous login and network behavior can be costly, especially for smaller firms.
Setting the bait
What DCEPT does is try and trick attackers into exposing themselves by using fake domain passwords—or honeytokens—as lures. The idea is simple: Plant honeytoken domain administrator passwords in the memory on all endpoint systems so if an attacker breaks into one and scrapes the password token from memory and attempts to use it, they are immediately spotted. Since the token is fake, any attempt to use it triggers an alert than can be quickly detected, Stewart says.
“Basically, if someone is trying to steal credentials, they will steal these fake credentials and give themselves away,” he says.
The DCEPT tool is capable of generating unique honeytokens for individual endpoints. That allows administrators to not only detect when an attacker attempts to use it, but also to know exactly which system was compromised. DCEPT allows new tokens to be generated and distributed to endpoint systems on a daily basis, so by looking at what honeytoken an attacker is attempting to use, an administrator would instantly know when the system was breached, Stewart says.
“The other benefit to it is that DCEPT is open source so your network and security staff can audit the source code and be absolutely sure of what they are running,” he says.
DCEPT is one of multiple useful security tools that are available for free via sites like GitHub. Some other examples include the Metasploit Framework from Rapid7 for penetration testing purposes, MIDAS, an intrusion detection system for Mac’s and WireShark, a popular and widely used packet analysis tool.
While such tools are not meant as replacements for high-end, more full-featured commercial security tools, often they offer sufficiently robust capabilities to make them useful, especially for security organizations without big budgets.
More stories related to network security:
As threats multiply, cyber insurance and tech security industries start to merge
New network defenses leave intruders with no place to hide
New tactics needed to search for, destroy network invaders