<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=725552337608854&amp;ev=PageView&amp;noscript=1">

Technical White Paper : Using Deception to Detect Spreading Techniques

Posted by Abhishek Singh on Nov 22, 2017 10:47:42 AM

Find me on:

The severity of any infection will get multiplied when it employs spreading technique. Ransomware which has been one of the critical threat for quite some time have been able to increase its effect by spreading to the mapped and unmapped drive. In the recent past threat actors have made use of remote code execution (such as WannCry), harvesting credentials from memory (such as Petya ,Shamoon), harvesting email addresses from the address book to spread inside the network.

Traditional defenses are aimed to detect and stop an attack. Deception-centric architecture differs from the traditional architecture; it is not only used to identify an ongoing threat, but also to divert the threat to an engagement platform to gather every malicious indicator of a multistage of attack. Once every malicious indicator of attack is captured then it can be used for many purposes such as to attribute a multi-stage attack to a threat actor, quarantine the infected computers, protect against the variation of an attack.


worms.png

In the technical white paper, we first dive deep at the source code level to share the details of the spreading techniques which has actively been used by the worms.  The paper then discusses the static breadcrumbs or lures which is used to detect and divert these multi-stage attack to the deception platform. The technical paper also introduces dynamic breadcrumbs. Dynamic breadcrumbs are the values which get projected in real time when a process is declared to be malicious. It is a definite manner of diverting a multistage threat to a deception platform.

In future, we expect to see more and more threats which will be multistage and will make of spreading techniques. Deception centric architecture is a powerful architecture to not only detect an attack but also gather every malicious indicator of an attack. Identification of every malicious indicator of attack will then aid to identify the threat actors, and the IoC’s can be used to quarantine the infected machines.

Download technical white paper from here.

References:

[1] Shamoon, https://securelist.com/from-shamoon-to-stonedrill/77725/

[2] WannCry, https://blog.barkly.com/wannacry-ransomware-statistics-2017

[3] Recent Resurgence in Shamoon,https://community.rsa.com/community/products/netwitness/blog/2017/02/08/recent-resurgence-in-shamoon

[4] New ransomware, old techniques: Petya adds worm capabilities,

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

[5] Google says the fake Google Doc worm that went viral affected fewer than 0.1% of Gmail users,

http://www.businessinsider.com/google-doc-phishing-worm-affected-fewer-than-01-of-gmail-users-2017-5

Topics: deception, lateral movement, spreading techniques

Subscribe to Email Updates