SMBs can DCEPT attackers with free network monitoring tools

Open source honeytoken lures hackers who try to steal admin-level credentials

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Many small and mid­size com­pa­nies can­not afford to pur­chase state-of-the-art net­work secu­ri­ty tech­nolo­gies used by large enterprises.

Here’s the good news: There are some pret­ty nifty secu­ri­ty tools avail­able for free to SMBs—technology devel­oped and donat­ed for the greater good by top secu­ri­ty ven­dors, as well as by inde­pen­dent researchers.

One recent exam­ple is an open source tool called Domain Con­troller Entic­ing Pass­word Trip­wire, or DCEPT.  Joe Stew­art and James Bet­tke, the Dell Secure­Works researchers who devel­oped DCEPT, describe it as a proof-of-con­cept trip­wire-style intru­sion detec­tion sys­tem for Active Direc­to­ry environments.

Relat­ed sto­ry: Orga­ni­za­tions find secu­ri­ty aware­ness train­ing is becom­ing a vital tool

DCEPT is designed to trick attack­ers into reveal­ing their move­ments inside a net­work by using the equiv­a­lent of dig­i­tal bait.

Con­sid­er that many of the biggest data com­pro­mis­es in recent times result­ed not from the ini­tial break-in itself, but from how attack­ers were able to use that entry point as a beach­head to then jump on to oth­er sys­tems and net­work seg­ments and har­vest data.

Secu­ri­ty researchers describe jump­ing across the net­work as lat­er­al move­ment. It is the phase of an intru­sion when an attack­er snoops around for oppor­tu­ni­ty-rich tar­gets to go after inside a com­pro­mised network.

Big tool for small companies

DCEPT, which is avail­able for free at the down­load site GitHub, can be use­ful in detect­ing lat­er­al move­ment, espe­cial­ly for small­er orga­ni­za­tions that do not have the skills or the bud­get to invest in sophis­ti­cat­ed net­work mon­i­tor­ing tools.

Joe Stewart, Dell SecureWorks researcher
Joe Stew­art, Dell Secure­Works researcher

DCEPT is designed to stop one of the most com­mon­ly used meth­ods by attack­ers to move lat­er­al­ly with­in a net­work. When attack­ers break into a net­work, the first thing they often do is look for the Win­dows Active Direc­to­ry domain admin­is­tra­tor account pass­word on the com­pro­mised sys­tem, Stew­art tells ThirdCertainty.

Admin­is­tra­tors often need access to oth­er com­put­ers on the net­work for things like rou­tine main­te­nance. But when they access and login to a sys­tem remote­ly, Win­dows caches their domain cre­den­tials by default in the sys­tem mem­o­ry, Stew­art explains.

This cre­ates a major prob­lem. An attack­er on the sys­tem can eas­i­ly recov­er the domain pass­word using read­i­ly avail­able mem­o­ry scrap­ing tools, he says. Stew­art point­ed to soft­ware called Mimikatz as one exam­ple of a cre­den­tial-steal­ing tool that attack­ers often use to scrape domain pass­word tokens from the cre­den­tial cache and then use it to move across the net­work at will.

Such mem­o­ry scrap­ing often can be hard to detect, and so, too, is detect­ing attack­ers as they move across the net­work using stolen admin­is­tra­tor cre­den­tials. Prod­ucts capa­ble of detect­ing anom­alous login and net­work behav­ior can be cost­ly, espe­cial­ly for small­er firms.

Set­ting the bait

What DCEPT does is try and trick attack­ers into expos­ing them­selves by using fake domain passwords—or honeytokens—as lures. The idea is sim­ple: Plant hon­ey­to­ken domain admin­is­tra­tor pass­words in the mem­o­ry on all end­point sys­tems so if an attack­er breaks into one and scrapes the pass­word token from mem­o­ry and attempts to use it, they are imme­di­ate­ly spot­ted. Since the token is fake, any attempt to use it trig­gers an alert than can be quick­ly detect­ed, Stew­art says.

Basi­cal­ly, if some­one is try­ing to steal cre­den­tials, they will steal these fake cre­den­tials and give them­selves away,” he says.

The DCEPT tool is capa­ble of gen­er­at­ing unique hon­ey­to­kens for indi­vid­ual end­points. That allows admin­is­tra­tors to not only detect when an attack­er attempts to use it, but also to know exact­ly which sys­tem was com­pro­mised. DCEPT allows new tokens to be gen­er­at­ed and dis­trib­uted to end­point sys­tems on a dai­ly basis, so by look­ing at what hon­ey­to­ken an attack­er is attempt­ing to use, an admin­is­tra­tor would instant­ly know when the sys­tem was breached, Stew­art says.

The oth­er ben­e­fit to it is that DCEPT is open source so your net­work and secu­ri­ty staff can audit the source code and be absolute­ly sure of what they are run­ning,” he says.

DCEPT is one of mul­ti­ple use­ful secu­ri­ty tools that are avail­able for free via sites like GitHub. Some oth­er exam­ples include the Metas­ploit Frame­work from Rapid7 for pen­e­tra­tion test­ing pur­pos­es, MIDAS, an intru­sion detec­tion sys­tem for Mac’s and Wire­Shark, a pop­u­lar and wide­ly used pack­et analy­sis tool.

While such tools are not meant as replace­ments for high-end, more full-fea­tured com­mer­cial secu­ri­ty tools, often they offer suf­fi­cient­ly robust capa­bil­i­ties to make them use­ful, espe­cial­ly for secu­ri­ty orga­ni­za­tions with­out big budgets.

More sto­ries relat­ed to net­work security:
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge
New net­work defens­es leave intrud­ers with no place to hide
New tac­tics need­ed to search for, destroy net­work invaders


Posted in Cybersecurity, Data Security, Featured Story