Illusive Blog December 21, 2017

Case Study: Deception Technology Foils an Insider Data Theft

By Beth Ruck

People usually associate “advanced persistent threat” (APT) with malicious outsiders—nation-state or other sophisticated attackers. Generally, once an APT attacker has established an initial foothold, they conduct “low-and-slow”-style attacks involving a prolonged period of reconnaissance and lateral movement. Insider threats are usually thought of as intentional (or sometimes accidental) acts of data theft or other compromise committed by trusted users who know their way around and have legitimate, open access to sensitive assets.

But insider attacks often require a similar discovery and movement process. In these cases, insider attacks can be stopped with deception, just like an advanced attack by an outsider. Illusive recently caught a protracted case of insider data theft taking place within the network of a global US-based manufacturing services company.

Instant threat detection

The attack was discovered while deceptions were being deployed across the company’s global network of more than 100,000 endpoints and servers. Once deceptions were installed on a majority of the systems, the customer received an alert indicating an attempt to read and copy files from a deceptive file server. In this case, the deceptive file server was made to appear to attackers as a share—a store of files designed to appear as though they contained high-value, sensitive data. To appear authentic, files were named and organized into a directory structure that followed naming and data storage conventions used in the real environment.


As soon as the alert triggered, the security team had information about the user’s alias, the fully qualified domain name of the host, its IP address, and contextual information from Active Directory. Illusive’s real-time forensic collection process also kicked in, providing additional details, including volatile and nonvolatile data such as a list of all running processes, open network connections, running services, and more. This automated forensic snapshot instantly provided the company’s security team evidence that this was a true positive alert that warranted immediate investigation.

A quick review of the forensic information by the company’s security team and Illusive’s incident response team revealed that the fake data was accessed manually by the logged-in user who intended to steal intellectual property. We could ascertain that:

  1. The user was logged in actively to the computer
  2. He first enumerated all available network shares using built-in OS command-line utilities
  3. He then mapped each share he found as a network drive on his local machine
  4. This allowed him to browse and walk through each share’s directories and files, including the deceptive ones that were earlier deployed across the network. 

A key asset in the incident response process was a real-time capture of the user’s screen, taken as soon as he tried to connect to the deceptive share. It showed he had mapped network drives, including data volumes on the deceptive file server.

The team concluded that the user’s account had not been taken over by an outsider, nor was a remote attacker conducting the malicious activity in his name. The actions had to have been committed by the user himself. It was an insider.


Expanding the Investigation

Intellectual property is the lifeblood of a manufacturing company. This discovery was serious enough to kick off an expanded investigation to see if this was a singular event or perhaps part of an ongoing data theft campaign. The security team used Illusive data to correlate activity with information gathered from other security tools and resources.

The results were concerning. The employee had been collecting internal documents containing intellectual property long before Illusive deceptions had been deployed, and this extremely sensitive information was being exfiltrated over private email. Inspection of security logs provided more granular details:

  1. In the customer’s Data Loss Prevention logs, it was evident that the user has been routinely accessing network resources and copying their contents to his computer for over six months.
  2. Inspection of mail servers showed that the user had been regularly sending large emails to a single email address, which belonged to an unknown third party. The emails always contained a a PowerPoint presentation attachment, in which a large number of stolen intellectual property documents had been embedded.

Lessons learned

  1. Deception cuts through noise. Other detection systems can leave security teams struggling to find a single “needle in the haystack.” With a deception approach, alerts are triggered only when a deceptive entity is accessed, which means that responders know they’re dealing with the real thing.
  2. Strong forensics power first responders and the longer investigation. To accelerate a digital forensic investigation, responders need immediate signs or evidence that help them quickly zoom in. These indicators provide a necessary focal point to correlate datapoints with SIEM logs, or any other log resource. 

This was no casual insider—not simply an ill-willed user who broke company policy by emailing private information to an unauthorized third party. A DLP system would likely have caught a clear policy violation. This was a sophisticated employee who knew how to use advanced attacker tools to study the environment, gain unauthorized access, and manipulate resources to operate under the radar. He had already done six months-worth of damage and would likely have continued had he not unwittingly encountered deceptions. It is the stealthy attacks—the ones deception is designed to expose—that can cause the greatest damage, whether from an insider or an outsider.