Using Deception to Protect Active Directory Pt. 2

22 Jan Read more blog posts

Using Deception to Protect Active Directory

[This is part two of a two-part series to describe how CounterCraft deception technology can be used to protect Microsoft Active Directory]

In the previous post we talked about the basic concepts behind a typical campaign deployed to protect an Active Directory installation using the CounterCraft Cyber Deception Platform. The deception technology is used to detect this activity in three distinct areas:


1) Detecting Enumeration of AD Credentials at the Endpoint

2) Detecting Enumeration of AD Credentials at the Production AD Domain Controller

3) Detecting Enumeration of AD Credentials in Shared Resources


Each area is part of a carefully structured Deception Campaign deployed from the CounterCraft Deception Director. In this post we will look in closer detail at the infrastructure required to support the Deception Campaign.

1) To Detect Enumeration of Active Directory Credentials on Production Endpoints:
Breadcrumbs seeded on Endpoint Workstations

To detect malicious activity on Production Endpoints, as described in the previous post, carefully crafted Breadcrumbs are distributed to the endpoint workstations. The distribution is carried out using the CounterCraft BC-CLI tool, which is designed for massive distribution of breadcrumbs across an Enterprise network. The Breadcrumbs deployed at the endpoint workstations provide the following misinformation, linked to the concepts described previously:

Location and credentials for Deception Hosts

User credentials that point to a Deception AD Domain Controller

PowerShell scripts with information that leads to either the deception AD Domain Controller or the shared resources located on the Deception Hosts

Auto logon credentials for the shared services hosted on the deception servers mentioned below

2) To Detect Enumeration of Active Directory Credentials on a Production Active Directory Domain Controller: Breadcrumbs seeded on the Production AD Domain Controller(s)

As mentioned in the previous post, to detect malicious behaviour on the Production AD DC, as with the endpoint workstations, it is seeded with Breadcrumbs. The Breadcrumbs used in the Production Environment do not in any way effect the function or behaviour of the domain controller. The following examples show a broad spread of the types of Breadcrumbs typically used:

Fake users – The fake users are not linked to any real services, but information pointing to additional deception services is included in the description field.

A fake GPO – The fake GPO points to a Deception SYSVOL containing additional breadcrumbs, such as PowerShell scripts with data that in turn lead to additional deception services located within the Deception Environment.

Fake resources – The fake resources are not linked to any real resource, but as with the false users the description field will contain information pointing to additional deception services.

Typically, Active Directory logs are sent to a SIEM. So, to log activity from the Breadcrumbs on the Production AD DC, the CounterCraft Deception Director takes in a feed from the SIEM. This allows the Deception Director to monitor Breadcrumb activity and provide fully analytical coverage for the Production AD DC without having to install the CounterCraft Agent. Alternatively, a direct log feed from the AD DC can be integrated into the Deception Director.

3) To Detect Enumeration of Active Directory Credentials on a Production Active Directory Domain Controller:
A Deception AD Domain Controller

To s upport the Deception Campaign, at least one Deception AD Domain Controller is deployed. This obviously requires a Windows server. The server is fully instrumented by installing the CounterCraft Agent that reports all activity to the CounterCraft Deception Director. The installation and configuration of the Agent is carried out from the console.

Specific Active Directory Event-Types have been created to flag AD specific activity and create the appropriate Notification rules within the Deception Director. The number of deception AD Domain Controllers to be deployed depends on the network topology to be replicated, but the recommendation is to deploy at least one Deception Host Domain Controller per forest.

4) To Detect Enumeration of AD Credentials in Shared Resources: Shared Resource Deception Hosts

The Deception AD Domain Controller, the false credentials and some of the other Breadcrumbs will point to shared services running on a series of Deception Hosts. These deception servers are fully instrumented, high-interaction honeypots. The deception story behind these servers is typically that are new or test systems under evaluation in a development environment.

Examples include:

An IDS server – An Intrusion Detection System, acting as a double bluff security system. It is fully instrumented and will not only report as a high-interaction honeypot to the Deception Director but also function as a fully operational IDS – reporting to the SIEM – to lend credibility to the deception scenario. Any malicious activity on this device will be captured by the CounterCraft Agent.

File Shares – A Windows file share server, loaded with populated folders. Each folder will have an SCF file that reports to the Deception Director if the folder is touched. Additionally, beaconing documents are distributed within the folders that will also report to the Deception Director if opened. This not only allows access to the beaconing documents to be logged, but also to map the path of the attacker as they navigate through the folders.

A Web Portal – A web server and application. Typically, this is set up as a copy of an internal portal site. It can be useful to capture any credentials used in login attempts. All interaction with the web application (and server) is captured and sent to the Deception Director. This can either be a Windows or Linux server depending on what is more credible given the Production Environment.

A Database Server: A database server in development, or set up to provide support to an application under development. The database is set-up and populated with fake data. Typically, this is a Windows server with the most appropriate database to the Production infrastructure.

Clone(s) of Production Server(s): In more advanced deployments this is an option for the AD campaign. It involves placing a cloned copy of an existing production application server into the Deception Environment, fully instrumented with the CounterCraft Agent. This allows any malicious activity to be instantly detected, and provides a valuable intelligence on exactly how an attacker would interact with a real production system.

To conclude, the use of deception technology to protect an Active Directory installation requires the use of a carefully structured Deception Campaign, with some or all of the components described here.

Any deployment of this sort would be carried out in full cooperation with CounterCraft or one of our trusted Partners. It goes without saying that AD is such a critical component, that protecting it correctly is key. Using deception technology provides a way to add an extra layer of protection to your existing security systems, to detect, investigate and control any potential attack.

Next Steps

Find out more by contacting CounterCraft. We are only too happy to explain what we do and how we can help you get the best out of deploying deception – from an initial conversation or simple demo, to a fully featured deployment.

Read “Using Deception to Protect Active Directory Pt. 1” here

Author: Richard Barrell, Product Manager at CounterCraft.

Like Jim Morrison said, this is the end. But you can...