You’re a nation-state threat actor trying to break into a NATO network.You get in, but what you don’t know is that you are being observed, and your every step is being manipulated by deception technology.
We are proud to announce CounterCraft worked hand-in-hand over the last six months with NATO to design and execute a defense experiment that mimicked this very scenario. Various red teams infiltrated the network and fell for our deception tactics, revealing valuable threat intelligence on what would be, in the real world, very dangerous adversaries.
The Future of Nation-State Security
NATO was created in 1949 to safeguard the freedom and security of all its members by political and military means. Since then, a new digital world has been born, and, with it, cyber warfare. NATO has recognized that to fight off sophisticated attackers, it must optimize the use of deception techniques.
NATO & CounterCraft
NATO’s cyber defense team needs to know who the adversary is, what they want, what they have done in the network before they were discovered, and distill that intel into an educated guess on what they are going to do next.
NATO came to CounterCraft because of our expertise in creating realistic deception environments, which can fool even the most skilled threat actor and manipulate them into giving away the answers to these very questions.
CounterCraft’s Cyber Deception Platform was the perfect tool to design, build and test a deception environment based on a typical NATO network infrastructure. We worked over the course of six months, hand-in-hand with the cyber defense team, to create a groundbreaking experiment.
The goals of the experiment are to optimize the use of deception techniques, in order to provide operational-level information to a mission commander, mostly about the adversary’s intent, motivation and other contextual information using information gathered from similar activities perpetrated against different targets.
The experiment consists of the following components:
- The deployment of a NATO network to mimic a rapid deployment or temporary network.
- The overlay of cyber deception environment using the CounterCraft Cyber Deception Platform.
- Red team testing of both environments under the guise of a Capture the Flag exercise.
- Analysis and measurement of the results in terms of the experiment goals and how the deception overlay modified the behaviour of the attacker.
CounterCraft: Providing Operationally Relevant Intelligence
CounterCraft’s sophisticated deception technology was designed for use in this type of challenging threat environment. The CounterCraft platform aims to lure adversaries towards exfiltration of irrelevant, intentionally planted information and provide operational-level relevant information about the adversary.
Our deception platform is able to provide users with all the answers they need.
We generate an adversary profile using IoCs such as:
- Source IP addresses
- Fingerprintable behaviour, classified as TTPs by the MITRE ATT&CK framework
- Discerning between targeted and opportunistic attack approaches
We identify adversary goals and efforts using an attack tree design to determine priority and interest in a quantitative manner.
We are able to relay nearly all actor activity, providing telemetry coverage not normally available in live deception environments (in exciting, real-time data).
And finally, we are able to make startlingly accurate predictions on what the attackers will do next, determining intent by looking at specific commands, such as
- Network discovery (nmap, netstat etc.)
- Windows AD enumeration commands
- Identifying external network communications
- Searches for Intellectual Property
- Searches for tactical data
- Along with many others