In part 1 of this blog series, we explored how to use delayed response and diversion as hack back tactics against attackers. Here, we up the game and explore some additional creative deception techniques.
Potemkin Apps
Back in 1787, the Empress Catherine II of Russia was touring the newly acquired Crimea via a barge trip on the Dnieper River. The Crimea area wasn’t in great shape, but the local governor, Grigory Potemkin, had an idea to impress the Empress. He built a fake, portable village that could be quickly assembled and populated before the Empress passed by on her barge. After she passed, the village was taken apart and moved downstream for another impressive showing later. These were dubbed Potemkin villages,1 and we can easily use similar tactics in the cyberworld to trick attackers.
The most basic facade is a site with pre-built mockups of your most important web apps. This could be simply an HTML framework and the necessary static images to make it look like the site that’s being cloned. You’d probably want to add a few input fields as well. Essentially, you copy just the front end of the site (usually the easiest part to build) and ignore the back end.
A good candidate for this kind of Potemkin app is a web app login site for web mail, admin consoles, or remote access. These pages are usually unsophisticated and quite static. The clever thing is that you can rig the input forms to collect the usernames and passwords entered. Reviewing this traffic would give you an idea how much the attacker knows about your organization. Is he using legitimate usernames or passwords? Is she using credential stuffing or just a blind, brute force attack? Analysis of the login attempts will tell you. Using this tactic, you’re not only diverting the attack away from draining your production site resources, but you’re gaining some very valuable intelligence.
The next step is building a full Potemkin village—a portable facade that can be assembled and disassembled as needed. For this, you’d need to couple your network security equipment with automation tools like Ansible. You’d hook a trigger to spin up a new fake site in an alternate location for anything under attack and then migrate the traffic over there. It’s like marrying the elasticity of the cloud with deceptive diversions.2 How’s that for active defense, SecDevOps?
Quick Deceptive Tricks
If cloning a live site in near real time is too heavy of a lift, then here are several other ideas for seeding your web apps with diverting lures.
Fake Website Infrastructure
As we discussed in the 2018 Application Protection Report, attackers will scan your web app infrastructure for services they can subvert for denial-of-service attacks. We’ve already seen record-setting Layer 7 DDoS amplification/redirection attacks using Memcached servers as well as CDN servers. So why not place fake services like that in your DMZ to alarm and divert attackers who are scanning them? You can also put up false application services. It’s not hard to build a basic network listener using open-source tools like Netcat.3
Fake App Stubs
Like the fake admin page mentioned earlier, you can get creative and seed websites with false directories, log files, and even false database connections. This could be on the site’s directory or even hidden within HTML source code since attackers crawl it looking for weaknesses. Based on our recent F5 Labs threat intelligence, we know that some of the top targeted URLs look like this:
- /manager/html
- /phpmyadmin
- /admin/components
- /suse/administrator
- /manager/html
- /pls/admin_/admin/
- /Exchweb
All of these could be faked by creating directory stubs and blank HTML files with their names. If you don’t want to get sophisticated with intrusion detection, you could simply scrape the web logs for access to these directories to see how successful they are in luring attackers.
Honeypots
Traditional cyber-deception techniques include honeypots, so why not? Honeypots are fake site/services emulators that record attacker actions. Instead of building your own, you can just download one and stand it up next to your legitimate applications. There are lots of great honeypots available on the Honeynet Project website. If you’re an advanced practitioner, you can even weave honeypot software into your custom Potemkin apps.
Seed the Fakes
Like the French, you can seed vulnerable services with fake files or emails for attackers to steal. This can be false data like non-working payment card numbers or bogus username/password files. You can also add web beacons4 to these attractive files to trace the attackers. If you’re feeling especially wicked, you could leave zip bombs,5 compressed files that get surprisingly enormous when uncompressed (like kilobytes to gigabytes). Anyone touching any of these files should trigger alarms and flag the offending IP address as an attacker.
Fake It until You Make It
Research has shown that deception can be quite effective in stopping cyber-attacks. Experimental work by Fred Cohen found that:
“When deception is turned on, attackers almost uniformly go down the deception parts of the attack graphs rather than down the real parts of the attack graphs.” He adds, “In some cases, attackers were so convinced that they had won when they were actually deceived, that they declared victory and walked away early.”6
Cyber-deception is about misleading someone into believing what is not true by manipulating their perception of reality. Since attackers in cyberspace have very little knowledge of your environment beyond what their tools tell them, manipulating perceptions is not as difficult in the real world. We know this is true from the success of phishing attacks. It’s time to use those same tactics to hack back at attackers. It’s not hard to poke your toe in the water and try out some of the deceptive techniques suggested here.