I recently read an article on the MITRE Engenuity Evaluations on the Forrester Blog. This was an evaluation of endpoint detection and response (EDR) tools and how they perform against various tactics and techniques that are recorded in the ATT&CK framework.
One of the techniques that was used to test out the participating EDR tools was File and Directory Discovery. This is a technique that is listed under the tactical goal of Discovery, the phase of an attack where a threat actor scouts for information on important files, folders, or directories that can be compromised, enumerates files and directories, checks how the internal environment of the organization is structured, and looks for good entry points into the network.
So, you might think "well, to counter this I need to be able to detect who is looking at the files and directories within my organization." And you might think that setting up detection logic to pick out instances of directory enumeration will help you zero in on a threat actor looking to cause mischief.
But the fact is that techniques like file and directory discovery aren't unusual activities that detection mechanisms can look at as anomalous by nature and cause for alarm. Enumeration of directories and files is a common activity that legitimate users carry out frequently throughout the day. Even if we applied behavioral analytics for this case, we'd still end up with a noisy alert section in the SIEM environment that's throwing out false positives by the dozen, which can result in actually alarming activities going undetected. This raises the question of just how much detection is the right amount for your network's security.
The Engenuity Evaluation points towards maintaining a balance between having visibility into the network (for future threat hunting) and the detection capabilities needed to ward off possible threats.
Forrester's blog discusses the intricacies of balancing visibility and detection capabilities. This blog will instead focus on tackling discovery with visibility.
The best course of action to combat discovery is not detection and mitigation, but the pairing of visibility with preemptive action.
One way to gain visibility into a hacker's moves is to use honeytokens. Think about it, you should ideally have visibility on all your critical systems, directories, and files. However, if these critical resources are also the kind that get accessed frequently, your logs are going to be filled with tons of harmless events related to these files, and you might end up missing out on a particular significant event.
So, instead of adopting detection to alert you on every activity on the critical file, you can embed honeytokens in your files and folders and dress them up to look like files that a threat actor would be interested in. This kind of decoy strategy helps you track what an attacker is planning to do or the kind of files they might be interested in.
For example, a healthcare facility could place a decoy file named newpatient_data-Mar2022 in a sensitive server. The SOC analyst can also configure the decoy file to feature in a jump list (a list of recently opened files and folders) so that anyone accessing that system can see the recently accessed files. This would lead an adversary to think that the newpatient_data-Mar2022 file is being viewed by users on the network. When the adversary accesses this file, your security solution will be able to record it. You can then check out reports to see details on who has accessed this honeytoken and what they might be looking for.
Honeytokens can take various forms. They can be a file or an API key placed on a critical asset that gives you visibility into what attackers are trying to do on that asset.
Location is the most important thing you'll need to consider when deploying a honeytoken. What do you want to detect? Credential access? Insider threats? For example, if you wanted to detect credential access, you might want to place a honeytoken containing fake credentials on the Local Security Authority Subsystem Service memory of a system and then check how this honeytoken is being accessed by monitoring it through your security solution.
This is a great way of weeding out pass-the-hash attacks. Similarly, if you're focused on tackling discovery, dropping a honey token on a network share in the form of a decoy file or folder could reveal what users are scouting for on network shares. It is also important to ensure your own organization's users don't have access to honeytokens, as unintentional access might lead to false positives.
Honeytokens are not entirely faultless. Sometimes incorrect placement of a honeytoken could act as a backdoor for a hacker to go beyond the trap you've set and actually start causing havoc on the network. So, honeytokens have to be deployed with care, and placement of honeytokens should be assessed thoroughly and periodically.
When it comes to tackling discovery, even the ATT&CK framework does not share much information on mitigation strategies. It remains a blind spot on the kill chain that most organizations don't see the point of taking on. However, if you are looking for a strategy to taking on discovery or if you've decided to make honeytokens a part of your strategy, then making discovery one of the tactics you want to monitor on your network can help you protect your network a little better.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.