Post Content  

Thinking like an adversary pays off. This is the story of how adversarial thinking and deception-based defenses stopped an intrusion from becoming a full-blown breach.

The target

The security team at a large conglomerate with 100,000+ employees came together to plan their security strategy for the next year.

Their past included a ransomware incident despite a robust security infrastructure, including EDR, NDR, firewalls, SIEM, and an MSSP.

The CISO was under tremendous pressure from the board – this could not happen again. All options were on the table, including Managed Detection and Response and User and Entity Behavior Analytics (UEBA). However, concerns about false positives and resource allocation arose.

Amid this deliberation, a team member with a red team background suggested Deception. Initial resistance surfaced – “We lack the skills for a specialized tool like Deception,” “Honeypots are outdated,” “What is deception?”

The CISO, persuaded by the advocate of Deception, agreed to give it a try under two conditions: no additional resources for management, and quick validation of its value. Deception was embraced as an experiment, and a red team assessment was chosen as the validation method.

Laying the trap

The team responsible for implementation started by studying typical attacker kill chains. They looked at REvil, Snake, Mindware, Onyx, and other threat actors to understand what they typically do and then started mapping TTPs for different kill chain stages to possible deception defenses.

But they had a very large network and had to start somewhere, so they decided to prioritize deception coverage for their DMZs and DCs because assets in those locations were at the highest risk of an attack and any lateral movement activity would be recorded in those segments first.

Decoys deployed included SMB file shares, FTP servers, SSH servers, and applications.

The next day, they would start rolling out endpoint decoys.

Murphy’s law strikes, but thank god for deception

A little past midnight, decoys placed within multiple DC segments detected an SMB port scan, indicating a sweeping network reconnaissance. Intrusion alarms rang out. It was discovered that the adversary had likely gained information about the DC segments from Active Directory sites and subnets.

An intriguing detail emerged during the investigation–the adversary was employing a throttle time of 5-7 minutes, a tactic to evade intrusion detection rules. The username sent during the SMB scan revealed a compromise. The compromised user had no legitimate reason to conduct broad file share sweeps.

The EDR console showed no alerts, indicating the attacker had bypassed it. Further analysis of suspicious DLLs uncovered hardcoded proxy credentials, revealing the adversary’s intent to infiltrate and establish command and control.

The response was swift–disabling the command and control, correlating attacker IP with SIEM telemetry, and isolating endpoints with interactions. Hidden Cobra, a North Korean threat actor associated with the Lazarus Group, was exposed as the attacker.

Rigging the whole place with landmines

The very next day, the team got blanket approval to fully roll out deception to cover all crown jewels and critical endpoints. Deception had proven its value even before being fully operational.

And that’s what’s so powerful about deception–it doesn’t matter whether you have one decoy or a 100. Merely having deceptive assets in your environment tilts the scale in favor of defenders.

Without deception, defenders need to be right 100% of the time. That’s an incredibly unreasonable ask. With deception, the attackers need to be right 100% of the time. One wrong move and they’re caught.

Furthermore, deception fosters adversarial thinking in security teams by design. The moment you ask, “Where should I deploy decoys?”, you immediately start thinking about where an attacker would go looking.

There are no silver bullets in security. In a world where security teams have to contend with limited resources, tremendous pressure, and market-moving consequences, deception helps shift the advantage back to defenders. And that is a strategy worth pursuing.