A simple definition of situational awareness is simply “being aware of what is going around us”. Situational awareness forms the cornerstone for critical decision making.

Being aware of what is happening in your field of operations, especially in the cyber realm, is key to a successful response, but how can we break this down into more manageable chunks?

We define situational awareness of a cyber attack as being able to answer the following for questions:

  • Who is it? Who is the adversary?
  • What do they want? What is the objective of the attack?
  • What have they done up until now? What behavior patterns have we detected?
  • What will they do next? Based on what we’ve seen, what will they do next?

This blog will take you through the ways we answer these questions using deception techniques and provide unequaled situational awareness for our users. Much of this is based on a presentation we gave at the 2020 NATO Tide Conference.

Who is it?

Profiling your adversary is a topic we’ve discussed in a previous blog post, but essentially we use the data collected from activity within the deception environment to build a profile we can use to identify key traits of an adversary – and maybe strike gold by achieving a direct correlation with a known actor (buy me a beer and I’ll name names!).

We generate adversary information using such things as IoCs like:

  • IP addresses
  • Fingerprintable behavior
  • How an adversary targets a specific system or whether they display “local” knowledge

These IoCs can be directly linked to known Threat Actors by leveraging the data held in the on-board Threat Actor Database, with a full registry of IoCs and TTPs. This information can be acted upon through integrations with external systems (SIEMs / SOARs).

When actors are persistent (with repeated logins), we add further TTP-based intel to their profile. Typically the “attacker profile” is created using the initially detected data such as source IP, and then we can add to this with collected TTP and observed behavior patterns.

The full “attacker profile” is built up from real-time incursion data and additional data from post-mortem analysis. In this way we have the first-pass “hotwash” analysis and then can provide more detailed results by widening the net and picking up on secondary aspects of the attack.

What do they want?

Identifying the goals and objectives of an adversary really comes down to clever design. By creating an attack tree design that offers choices you can guide the adversary into giving away a lot of information on why they are attacking: Is this a targeted attack or opportunistic? By observing the order an attack approaches the target and the effort they expend in given areas you can tell a great deal about what their object is; Priority or Effort?; DoS or Data?

Priority can be determined as:

  • First activity – where does the adversary go first?
  • Do they target specific systems or display “local” knowledge? (Targeted vs opportunistic)
  • Execution of commands – how do their tools further their goal?

Effort can be determined as:

  • Time invested in target
  • Executed actions

Attack trees can be designed to provide choices to the attacker to allow us to observe where they go first and measure how much time they invest. This is a topic for another day, but designing an effective attack tree spans the art and science of deception deployment, and is something we’re working on to make it as easy as drag and drop…

What have they done up until now?

This is the easy one. Any deception platform worth its salt should be able to give you a detailed breakdown of attacker activity within the deception environment. The CounterCraft Cyber Deception Platform is no exception.

Any activity is automatically analyzed, classified and then used to alert or activate an automatic response. There is a lot of hard work under the hood to make sure we correctly interpret attacker behavior and eliminate false readings. The integration with Mitre ATT&CK framework certainly helps to quantify behavior patterns in a standardized way. This helps when comparing patterns with known threat actor groups and is key in communicating the situational awareness you’ve gained outside of the immediate operations center or further up the food chain.

We often talk about the “triangle of deception” (read all about the triangle of deception here) but in this case it’s key. Without the ability to detect adversary activity at the lowest level and relay it back to the Deception Director at wire speed, the deception is meaningless. Taking the data we receive from the DeepSense Agents via the Active-Link network, we create a “hierarchy of data”. The low-level telemetry forms the foundation and allows us to process and enrich this telemetry into event data. Finally, the enriched events are classified and used to trigger alerts or engage with the adversary.

What will they do next?

The holy grail is a 100% accurate identification of what an adversary will do next. Increased situational awareness in turn increases confidence in making response decisions. By providing a clear picture of what has gone before, we have a better understanding and quantifiable data with which to predict and plan for what will happen next.

As we have seen future activity can be determined by:

  • Previous recorded interactions
  • Actions on deception hosts

In addition we can use the specific command executed by the adversary to infer thor intention, identify their end goal and respond accordingly.

Some examples of this would be

  • Network recognition (nmap, ss / netstat etc),
  • Windows AD enumeration commands
  • External network communications
  • Search for Intellectual Property
  • Search for tactical data and so on…

Given this data we give you evidence to inform a response.

However, we’re not leaving it there. Based on our experience we are building tools that will not only provide the situational awareness to predict what an adversary will do next, but to suggest possible courses of action based on known behavior patterns, known threat actor activity and above all our knowledge and expertise.

Next steps

To find out more about any of the topics discussed in this article, please reach out and get in contact with CounterCraft. We are only too happy to explain what we do and how we can help you get the best out of deploying deception – from an initial conversation or simple demo to a fully featured deployment.

Richard Barrell is the Product Manager at CounterCraft, as well as managing projects in the Government sector. You can find him on LinkedIn.