Researchers at Cybereason have been analysing a complex network honeypot operation, and the results should make every CISO pause for thought. Establishing fake servers to attract attackers is nothing new, and while the results can be useful from a threat intelligence perspective they don't tend to reveal anything particularly new either. Where the attackers are coming from is of less value than what they do when they arrive, and that's where the fake financial company created by Cybereason really delivered the goods; it was discovered and breached by automated bots almost instantly. "These tools will drop the average dwell time of an attacker from a couple of hours to a couple of minutes" the researchers warn.
This in itself comes as little surprise, considering that threat actors are as lazy as the next criminal truth be told. If they can find a botnet that will automate an exploit then they will use it. The Cybereason researchers saw a lot of rudimentary activity across all services, but what really caught their eye was the botnet that struck within two hours of the team weakening additional RDP ports.
It literally did the grunt work for the attackers, who didn't participate manually in the attack until after the bots had exploited known vulnerabilities, scanned the network, dumped credentials of the compromised machines and created new user accounts to enable the perpetrators to easily return even if the actual users changed their passwords in the meantime. Sounds like a lot of work, doesn't it? Yet this took the botnet just 15 seconds to achieve from start to finish.
The researchers say "the botnet that attacked the honeypot is designed to give full access to every machine it touches and spread throughout the entire network." The human attacker waited 48 hours before accessing the compromised network and exfiltrating 4Gb of worthless data.
In terms of preparing the honeypot, as well as establishing a fake company complete with users and a realistically populated network structure, Cybereason also released Remote Desktop Protocol credentials for three of the servers into dark market and paste sites inhabited by hackers. Then, additional RDP services with very weak passwords were established as well, in order to determine how quickly the service could be compromised once access was achieved. Finally, researchers opened up several other services to see which ports were scanned the most, as well as determining any large changes in functionality post the initial breach.
Ross Rustici, senior director of intelligence services at Cybereason, admitted to SC Media UK that security was deliberately weakened for the honeypot in order to entrap the threat actors. "The passwords were weakened to admin/admin which unfortunately is not uncommon for large enterprise networks" but assured us that other than these intentionally punched holes "everything else in the network was at a gold standard of cyber-hygiene; everything was the latest version and fully patched."
Sammy Migues, principal scientist at Synopsys, argues that only a person incapable of actual hacking would ever do all those steps manually and "that person is probably not an attacker to be feared." But Migues also says that "considering the chain of exploits required for this purposely vulnerable honeypot, when that exists for real it's almost always because someone isn't keeping up with the risk management." Why do attackers lick their chops and run their bots, Migues asks, before responding "because they can…"
Kelvin Murray, senior threat research analyst at Webroot, certainly wasn't surprised by the findings as hackers will always look to use the latest technology available to them. "Automation technologies are changing the game for attackers" he warns "allowing them to mount more complex and sophisticated attacks at scale in seconds." Murray adds that removing the human labour requirement from a successful breach such as this is worrying news for everyone. "Cyber criminals largely operate a numbers game" he explains "more attempts to access data or capture information fundamentally translates to an increased likelihood of successfully making money..."
Ross Rustici has the following advice for SC Magazine UK readers. Make sure your network is fully patched, that firewall rules are up to date and no unnecessary ports are open. Use white listing rather than black listing when possible, and enforce strong password rules including lock outs based on number of attempts. Finally, follow least privilege guidelines. "This will cut down on a lot of the capabilities of these bots out of the gate" Rustici concludes "then it gets more complex in terms of segmentation and security monitoring tools to catch the activity if it still manages to get past the outer defences."