Illusive Labs Blog

Technical cybersecurity perspectives focusing on deceptions,
threat trends, incident response, advanced attacks and new technologies

For open source tools published by the Illusive Labs team, visit our GitHub page.

Externalizing deception: The creation and use of deceptive Open Source Intelligence

Posted by Hadar Yudovich on Aug 13, 2018 9:00:00 AM

Open Source Intelligence (OSINT) is widely used by attackers every day. Information they find through publicly available sources can be valuable, both in learning about how to go after their target, and in actually executing a compromise. 

Deceptions, as we will discuss, are bits of fake information or other artifacts that can be planted to force some sort of action by an attacker. We’ve undertaken research to see whether we could effectively lure attackers by placing deceptive information out in the public domain. This blog presents the results of this project. Better understanding of how OSINT is used maliciously may provide a new dimension for deception strategies to defend against attackers.

We began by founding a front organization—a fake company--complete with a fake computer network, with the intention that it would be hacked.

Yes, you read that correctly:  We put effort into setting up an environment just to have it breached/compromised. We wanted to see what attackers use OSINT data for; is it only reconnaissance, or will they utilize information for other purposes such as lateral movement?

 

Open Source Intelligence

Formally defined, OSINT is “data collected from publicly available sources to be used in an intelligence context. The term is usually used in the context of intelligence agencies or army units referring to their ability to collect data about their subjects from various public resources. Such resources can include traditional media (newspapers, radio, television) and information on the internet that can be found via search engines, social media, academic papers and so on.

Depending on the objectives, categories of OSINT data can range from personal information about people and/or organizations, to maps or locations of facilities, to information about internal/closed computer networks.

 

What Do Attackers Look For, and Where Do They Search For It?

In this case, we are focused on computer network information that can be obtained using OSINT. When attackers look for information about an organization’s domain, they will try to find general data such as network diagrams and asset inventories. But they also search for more specific elements like host names, IP addresses and credentials associated with these resources.

It seems that attackers will look in many places to find this information. Obvious go-to sources are search engines and social network posts and profiles. Less obvious, but important, resources include public code repositories, open paste sites, file sharing platforms and more. More information about how attackers use OSINT can be found in various blogs, presentations from security conferences, and other online sources.

Attackers use OSINT heavily, as evidenced by the amount of both open-source and commercial tools designed to automate the process of collecting OSINT-based information about a given target. For example, on the open-source side you have tools like theHarvester by Christian Martorella (@laramies) and recon-ng by Tim Tomes (@lanmaster53); on the other side, the most well-known commercial tools are Maltego and Shodan.

 

Attackers Use of OSINT

Although there are not many public reports of network breaches or compromises that specifically indicate that OSINT was leveraged to start the attack, it is not difficult to demonstrate how attackers leverage it against their victims. Here are some examples:

Phineas Phisher -vs- Hacking Team: In this case the author specifically mentions that his first action was to use open source tools to find information about his target. Although he didn’t find anything of interest, it was nonetheless a crucial step in his attack process.

AWS Charges: This is an example we found in a comment string associated with a blog-post about AWS credentials that had been stolen from someone. In the comment, the poster describes how he accidentally pushed his credentials to his public GitHub account—and error that enabled someone to rack up $50,000 in charges against his AWS account.

Picture1 Figure 1 – Commented posted on https://securosis.com/blog/my-500-cloud-security-screwup

S3 Buckets: The last example was exposed through research conducted by a security firm named Upguard. They found that a company named Viacom had confidential information in publicly available S3 buckets, including credentials to internal systems.

Picture2Figure 2 - Upguard's research blog (https://www.upguard.com/breaches/cloud-leak-viacom)

This is just the tip of the iceberg! Attackers use OSINT in many ways—and often!

 

Defenders Try to Keep OSINT “Clean”

To take this thread further, put yourself in the shoes of a security engineer in a generic organization. Imagine that your CISO just completed his certification on “Threat Intelligence” and decided to run an intensive OSINT scan to find information about your organization. Unfortunately, he finds a lot of data online. 

Usually, the immediate response to a such scan is to panic. People understandably don’t like to find out that there’s confidential (or even semi-confidential) information out there, available to anyone. In most cases, the next step would be a series of scattered and unfruitful attempts to “remove” the data from wherever it is stored. But as we know, the internet never forgets; it is nearly impossible to remove something from the internet, thanks to the vast array of web archives, crawlers and such that exist. 

More experienced people or organizations will try to make the data obsolete or unusable, but that’s also not a trivial task. For example, if a diagram of your network is somehow leaked, you cannot easily just change the way your network is architected, right?

As defenders, we at Illusive think there is more that can be done. Let’s take the problem and turn it into our advantage by using open source intelligence deceptions to trick attackers.

 

What are Deceptions?

Before we delve into the meat of the discussion, let’s first briefly explain what deceptions (aka honeytokens, lures, breadcrumbs) are. Lance Spitzner first used the term Honeytokens in his post back in 2004.

Generally speaking, deceptions are pieces of information that are used by defenders to entice or lure attackers to make mistakes which will lead to their detection. They’ve been used in the physical world in various forms, particularly in military contexts.

In the digital world, deceptions can be stored credentials or other information placed in various locations across the network (on endpoints, servers, devices, etc.) where attackers would be expected to try to harvest such information in their quest to move laterally towards their goals. When attackers actually find and use such information, they are detected.

 

Expanding the Playing Field for Deceptions

Organizations that use deceptions are mostly focused on their internal networks, i.e. they plant deceptions on endpoints and servers that they control and manage. These can include whole deceptive entities such as users and  machines, which they also control.

In this research, we’ve expanded this concept to the realm of OSINT by planting deceptive information externally on publicly available internet resources, creating “OSINT deceptions”. If attackers constantly use open-source intelligence, why not turn the tables on them and make their lives more difficult? By planting deceptive information alongside real information already online, defenders can confuse attackers, enhance Blue Team visibility and improve attacker detection.

 

OSINT Deceptions Research

Months ago, this was all theory. We wanted to validate our assumptions that 1) attackers do use OSINT to infiltrate a network; and 2) that they will also use OSINT to move laterally once they’ve compromised an environment. 

Of course, we could not involve or implicate any  real organization. For this reason, we set up a front organization and create a corresponding computer network for our new “company”. Our high-level plan was to:

  1. Set up a front organization
  2. Create a computer network for the new company
  3. Plant deceptive information in OSINT resources about the company
  4. Monitor any malicious activity
  5. Analyze the results and draw conclusions

 

“Aviato Mining” is Born

The startup company we "founded" was named Aviato Mining. The company’s product was cryptocurrency and crypto mining—chosen because such companies have recently been popular targets for attackers.

Since there was previously no information publicly available about our company, we first made sure Aviato Mining had what every startup company has: a “coming soon” website, and accounts in all of the relevant social media networks (Twitter, LinkedIn & GitHub).

Picture3Figure 3 - Aviatomining's presence online

By the time we finished this stage, there was plenty of “real” information about us online.

 

Aviato Mining’s Network

OK, so now we have a company (or its marketing fluff, anyway)! The next step was to create the company’s network. We used a cloud platform and created a Windows domain environment with servers, endpoints and users. We made sure to create an entry point to this network that would act as a “jump server” from an attacker would try to move laterally (see below).

Picture4Figure 4 - Aviatomining's Network Diagram

To test our premise, we also needed to be sure that an attacker who landed on the jump server would use only our OSINT-based, deceptive user information rather than enumerate users from within the network. To do this, we denied access to the objects (you can read more about the concept here).

 

Planting OSINT Deceptions

Now the fun part! We have a company and a network; now we can finally plant deceptions in OSINT resources and see if attackers will use them. 

We planted different deceptive information of varying complexity levels. For example:

Simple deceptive information included a fake “dump” of a database table of users from a third party’s “hacked” website. The dump contained email accounts of the website’s users, including several with Aviato Mining accounts and corresponding passwords. This would be of interest to attackers looking for users who re-use their credentials to access corporate applications.

Picture5Figure 5 - Fake credentials dump containing deceptive users

It is important to note here that OSINT information is not necessarily a result of malicious activity (such as attackers dumping credentials to paste sites). Such data can also end up in the public domain due to mistakes by uneducated or unskilled users. We created the example of a user who accidentally pushed his clear-text credentials to a public GitHub account and then removed them in a different commit. The commit message/description was “removed password”. Attackers searching for repositories with these types of commits could find these credentials and use them.

A more complex deception we planted was a fake NTDS.dit dump file that was uploaded to VirusTotal. Since attackers can use YARA rules in VirusTotal’s Retro Hunt feature, they can search for file characteristics to find these files and leverage their contents.

The possibilities of OSINT deceptions are endless. Additional ideas included:

  • gists on GitHub
  • fake RDP credentials on RDP Shops
  • information on Cloud Storage (S3 Buckets for example)
  • hacking forums/IRC channels
  • … and more.

(By the way, if you have any cool ideas, we’d love to hear them!)

When we finished, there was just as much deceptive OSINT information as there was “real”  information about Aviato Mining; the higher the ratio, the greater the opportunity to trick attackers.

 

Monitoring Process

The entire operation was monitored with a simple infrastructure that included the cloud provider’s NetFlow logs, Sysmon logs from the endpoints and servers, and a Splunk server.

We ran the experiment for two months and used unique identifiers for each deceptive information we planted so we’d be able to easily track attempts to use one. We focused on monitoring successful attempts to log in using deceptive credentials and attempts to move laterally, although we did also encounter other (expected and less expected) results.

 

Analyzing the Results

We did not observe lateral movement attempts in the network associated with all of the deceptions we planted. We did, however, compile many interesting observations and conclusions, and identified possible derivative research. We analyzed each OSINT deception we placed and tried to draw some insights based on their usage.

Our entire results are too lengthy to share in full, so below are two especially interesting findings pertaining, respectively, to PasteBin and GitHub.

 

PasteBin

Per its intent, Pastebin is “a website where you can store any text online for easy sharing. The idea behind the site is to make it more convenient for people to share large amounts of text online.” In reality, it is widely used by attackers to anonymously upload data to share online.

It was by far the resource in this project most used by attackers.

The average time between the planting of a deception and an attacker’s attempt to use it to compromise our entrypoint was approximately four hours—the fastest “return time” of all OSINT resources associated with our study.

The exposure of the data on PasteBin is incredible. We created pastes that had more than 40 views after several minutes, which leads us to believe that these “viewers” are automated tools such as DumpMon, Have I Been Pwned, or possibly other unknown ones. Once we created a paste, there was no need to “advertise” it amongst attackers, and the number of views increased daily.

 

GitHub

We gleaned some interesting insights as a result of planting deceptions on a public code repository. Despite the fact that attackers do search for information on websites like GitHub, it is done significantly less than paste sites like PasteBin. For example, it took several days—not hours, as with PasteBin—before an attacker found and used the credentials we planted in our deceptive GitHub repositories.

Another distinct comparison we could draw between GitHub and PasteBin concerns the number and capability of tools that exist to scan and leverage their repositories. . Yes, there are tools out there that scan GitHub for credentials and other types of information (e.g. gitrob and reposcanner). However, the GitHub tools are focused on a single repository as opposed to doing a wide scan, like many of the PasteBin tools do.

These differences explain, at least in part, why the deceptive information we planted on GitHub was naturally less exposed. We had very few views of the code within “our company’s” GitHub repository.

One advantage of planting deceptions in GitHub is that the GitHub insights feature enables you to better understand how an attacker “found out” or discovered the deceptions. Of course, it doesn’t promise anything, but it allows for a level of visibility that is not available on websites like PasteBin.

 

Jump Server Activity

On the jump server we encountered many things one would expect to have on a compromised online server, such as bitcoin miners, DDOS bots and website traffic bots. 

In addition, since our deceptive users did not have local admin credentials on the this machine, we also observed attempts to escalate privileges with various techniques such as CVE-2016-0099 and a combination of a keylogger and a fake windows notification prompting a user to change their password. Attackers also tried to enumerate the users and machines in the environment using several tools.

And the final observation worth mentioning is that we saw an attacker who used the server to surf the web and listen to music on YouTube. (They apparently work better with music playing, too.)

 

Summary & Takeaways

Throughout this blog we’ve covered the concepts of OSINT and deceptions and explained how and why we formulated our research. We shared our research questions, the path we took in order to answer them, and finally, described some of the results.

In our opinion, this was a very successful experiment. Given the level of attacker engagement we witnessed with a “company” that doesn’t really exist, and which has relatively little presence in the public domain, we believe we’ve proven the point that advanced attackers who target an existing organization will use OSINT—both to infiltrate the victim’s network, and also to move laterally once inside.

Although the process of collecting OSINT-based information can be (and already is) automated, data analysis and utilization is still a set of manual processes.

If you “try this at home,” make sure you pay attention to authenticity—if deceptions don’t seem real, attackers will avoid them and your experiment is likely to become wasted effort.

In general, we conclude that its essential for defenders to run OSINT tools to see what information is out there about their organization, and of course, to act accordingly. If there’s data out there, attackers will find and use it. Planting and monitoring external OSINT deceptions is a fruitful means of complicating and obstructing the attacker’s activity and will increase an organization’s defense capabilities.

Hadar Yudovich

Written by Hadar Yudovich

Hadar (@hadar0x), a Security Researcher at Illusive Networks, focuses on digital forensics and incident response (DFIR).

Stay up to date!