HOW TO CONFUSE ADVERSARIAL ENVIRONMENT MAPPING TOOLS

Abstract

A method for protecting a computer network against attackers, including receiving requests, initiated by a network scanner, for local network scans and, in response to the receiving, provide responses including deceptive data indicative of a short attack path to a target computer, wherein the attack path traverses a controlled computer that is used to detect network attacks.

Claims

1. A method for protecting a computer network against attackers, comprising: receiving requests, initiated by a network scanner, for local network scans; and in response to said receiving, provide responses comprising deceptive data indicative of a short attack path to a target computer, wherein the attack path traverses a controlled computer that is used to detect network attacks.

2. The method of claim 1, wherein the controlled computer is a deceptive trap server.

3. A computer server within a network comprising at least one memory storing program code with instructions that cause the computer server to: receive requests, initiated by a network scanner, for local network scans; and in response to the receiving, provide responses comprising deceptive data indicative of a short attack path to a target computer, wherein the attack path traverses a controlled computer that is used to detect network attacks.

4. The computer server of claim 3, wherein the controlled computer is a deceptive trap server.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0029] The present invention will be more fully understood and appreciated from the following detailed description, taken in conjunction with the drawings in which:

[0030] FIG. 1 is a simplified diagram of a prior art enterprise network connected to an external Internet;

[0031] FIG. 2 is a simplified diagram of a prior art enterprise network with attack vectors of an attacker at an early stage of lateral movement;

[0032] FIG. 3 is a simplified diagram of a prior art enterprise network with attack paths of an attacker at a later stage of lateral movement;

[0033] FIG. 4 is a prior art table of a Sharphound collection (“cheat”) sheet;

[0034] FIG. 5 is a simplified diagram of an enterprise network with network surveillance, in accordance with an embodiment of the present invention;

[0035] FIG. 6 is a simplified flowchart of a method for confusing an adversarial environment mapping tool, such as Bloodhound/Sharphound, in accordance with an embodiment of the present invention;

[0036] FIG. 7 is a simplified diagram of prior art results of a network scanner used to scan a network and provide the attacker with attack paths to high value targets;

[0037] FIG. 8 is a simplified diagram of results of confusing a network scanner to provide an attacker with deceptive relatively short attack paths that lead to high value targets through a controlled sever, using the method of FIG. 6, in accordance with an embodiment of the present invention; and

[0038] FIG. 9 is a simplified drawing of implementation details for generating a deceptive network scan using the MS RRP protocol, such as the deceptive network scan shown in FIG. 8, in response to requests from network scanners, in accordance with an embodiment of the present invention.

[0039] For reference to the figures, the following index of elements and their numerals is provided. Similarly numbered elements represent elements of the same type, but they need not be identical elements.

TABLE-US-00001 TABLE I Elements in the figures Element Description  10 Internet 100 enterprise network 110 network computers 111 specific workstation 112 specific computer server 120 network databases 130 network switches and routers 140 Active Directory 150 DNS server 200 enterprise network with network surveillance 210 deception management server 220 trap servers 221 specific trap server

[0040] Elements numbered in the 1000's are operations of flow charts.

DETAILED DESCRIPTION

[0041] In accordance with embodiments of the present invention, systems and methods are provided for deceiving adversarial network scanners. These systems and methods generate decoy responses that indicate short attack path(s) to target computer(s), wherein the attack path(s) traverse controlled computer(s) that are used to detect network attacks.

[0042] Reference is made to FIG. 5, which is a simplified diagram of an enterprise network 200 with network surveillance, in accordance with an embodiment of the present invention. Network 200 includes a deception management server 210 and trap servers 220. Deception management server 210 provides responses to queries initiated by network scanners, the responses indicative of short attack path(s) to target computer(s), where the paths traverse trap servers 220. Operation of deception management server 210 is described hereinbelow with reference to FIG. 6.

[0043] Once an attacker is detected, a “response procedure” is launched. The response procedure includes inter alia various notifications to various addresses, and actions on a trap server such as launching an investigation process, and isolating, shutting down and re-imaging one or more network nodes. The response procedure collects information available on one or more nodes that may help in identifying the attacker's acts, attention and progress.

[0044] Notification servers (not shown) are notified when an attacker enters a trap server. The notification servers may discover this by themselves, or by using information stored on Active Directory 140. The notification servers forward notifications, or results of processing multiple notifications, to create notification time lines or such other analytics.

Confusing a Network Scanner

[0045] Embodiments of the present invention use servers that respond to a network scanner with coordinated deceptive responses. The responses deceive the network scanner into identifying a short attack path to a high value target, where the path traverses a controlled computer

[0046] Reference is made to FIG. 6, which is a simplified flowchart of a method 1000 for confusing an adversarial network scanner, such as Bloodhound/Sharphound, in accordance with an embodiment of the present invention. The flowchart of FIG. 6 is divided into two columns. The left column includes operations performed by an attacker who uses a network scanner such as Bloodhound/Sharphound. The right column includes operations performed by management server 210.

[0047] At operation 1005, management server 210 deploys trap servers 220 and deceptive network elements having DNS records pointing to the trap servers 220. At operation 1010, the attacker runs a network scanner, such as Bloodhound/Sharphound. At operation 1015, Sharphound queries active directory 140 via LDAP, and discovers relevant information regarding elements of network 200. At operation 1020, Sharphound begins querying the different network elements discovered at operation 1015, via respective collection methods that Sharphound supports, as per the table in FIG. 4. At operation 1025, Sharphound is fooled into entering trap servers 220, by the deceptive elements planted in elements of network 200 at operation 1005.

[0048] At operation 1030, management server 210 detects querying of one or more trap servers 220, and triggers an alert to an administrator of network 200. At operation 1035, management server instructs the one or more trap servers 220 to respond to the queries with deceptive results, indicative of attractive/short attack path(s) to target computer(s), that traverse trap server(s).

[0049] At operation 1040, the deceptive results in the responses are loaded into Bloodhound. At operation 1045, Bloodhound displays to the attacker the attractive/short network path(s) that traverse trap server(s) 220, based on the responses received at operation 1035. At operation 1050, the attacker tries to pursue the attractive/short network path(s) by accessing the trap servers 220. Finally, at operation 1055, management server 210 triggers additional administrative alerts.

[0050] Reference is made to FIG. 7, which is a simplified diagram of prior art results of a network scanner used to scan a network and provide the attacker with attack paths to high value targets, in accordance with an embodiment of the present invention.

[0051] Reference is made to FIG. 8, which is a simplified diagram of results of confusing a network scanner to provide an attacker with deceptive relatively short attack paths that lead to high value targets through a controlled sever, using the method of FIG. 6, in accordance with an embodiment of the present invention. FIG. 8 shows how the results of the network scanner appear after deceptions introduce an attractive deceptive path to a high value target through a trap server.

[0052] The deceptive path in FIG. 8 includes a device whose local administrator is in the “domain users” group; i.e., a default group including each member of the domain, with a user (SVC1) who is a member of a “domain admins” group logged on to server computer 112, which is a high value target, from the user's network workstation 111. As such, the attacker is lured into connecting to trap server 221 in order to compromise the credentials of SVC1. However, the deceptive path does not really exist. The deceptive path is based on the deceptive responses provided to the network scanner.

Implementation Details

[0053] Embodiments of the present invention provide coordinated deceptive responses to a network scanner by responding to protocol queries, such as SharpHound queries, with deceptive information. The protocols include MS-WKST, MS-SRVS, MS-RRP, MS-SAMR, MS-LSAD, MS-LST, which are based on the MS-RPCE protocol. The protocols use RPC over Named Pipes protocol sequence, implemented over SMB.

[0054] Reference is made to FIG. 9, which is a simplified drawing of implementation details for generating a deceptive network scan using the MS RRP protocol, such as the deceptive network scan shown in FIG. 8, in response to requests from network scanners, in accordance with an embodiment of the present invention.

[0055] In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made to the specific exemplary embodiments without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.