Illusive Blog November 6, 2019

Deceptive Microsoft Office Beacon Files Can Stop Threats

By Gil Shulman

Shadowy attackers targeting organizations from halfway around the world grab most of the cybersecurity headlines. However, research shows that 60 percent of data breaches and other cyberattacks on organizations are actually carried out by rogue or negligent insiders. According to a recent study by the Ponemon Institute, it takes an average of 72 days to contain an insider threat, and typical organizations with over 1,000 employees spend an average of US$8.76 million cleaning up after insider incidents every year.

A variety of factors motivate purposefully malicious insiders; they may be seeking revenge for mistreatment at the hands of their employer, looking for a payoff to sell confidential information to interested bidders, or seeking intellectual property that will be economic or politically beneficial to themselves or a sympathetic third party. Accidental insiders may simply be ignorant of the security protocols they should be using to handle sensitive information or seek more convenient data access that unwittingly gives attackers an entry point. Either way, even the most protected organizations with a full stack of deployed security solutions still struggle to identify and stop insiders before data leaves their organization.

Insider Threat Programs Are Insufficient 

While security strategies obviously need to keep malicious actors out and stop them if they manage to get in, insiders are employees and by their very nature are already within the perimeter with trusted access to a certain number of endpoints. Additionally, with their knowledgeable insight into an organization’s most valuable assets, insiders are often able to operate more discreetly than external attackers. Security measures that focus on the perimeter’s edge will not apply to such insiders, and since many of their actions will be authorized, solutions that need to crunch data to highlight security incidents based on behavior will not necessarily catch them in the act.

Many organizations have created insider threat programs as a part of their cybersecurity strategy to prevent and detect insider threats, avoid inadvertent data leaks, raise employee awareness, and comply with international and local security regulations. These programs are an excellent first step towards deterring employees from becoming insider threats, detecting insiders who currently pose a risk to an organization, and mitigating consequent security incidents insiders have caused.

However, no insider threat program that relies on employee behavioral analysis or education, no matter how well designed, will neutralize insider threats for good. Detection solutions based on employee behavior often create an avalanche of false positives that waste your security team’s time and resources. While employee education can help to raise awareness about the potential risks and consequences of insider negligence or theft, depending on employees to remember their training materials is not a comprehensive or reliable security solution. We are only human after all, prone to mistakes, temptations, faulty memories and distraction. No insider training program can anticipate every potential error an employee would make or guarantee that employees always choose what’s best for their organization over the possibility of illicit personal gain.

Catching Insiders with the Right Intelligence: Deceptive Microsoft Office Beacon Files 

Nevertheless, malicious insiders often still need to sneak around the network as an external attacker would to find the credentials and connections to systems and applications they don’t have authorized access to in order to exfiltrate critical data. Illusive’s Deceptive Microsoft Office Beacon Files, a feature of our Attack Detection System solution, allows Word and Excel documents to be beaconized so that organizations can instantly gather forensics about when someone is attempting unauthorized access to Office documents on an organization’s network, from which machine they are attempting to access the Office documents, and what data was exposed. In this context, “beaconization” of the Office documents means that they are able to be tracked by your organization, and can send out an incident report if anyone attempts to copy or open them on your network.

Once a beaconized Office file is accessed on the organization’s network, a web request is sent to a trap IP address preconfigured by Illusive, triggering a notification about the incident. This type of beaconization is especially useful to identify and catch insider threats in a timely fashion before insiders can capitalize on their attempted theft. Deceptive Microsoft Office Beacon Files make it simple to enhance insider threat detection at scale, and can be combined with an organization’s other incident response capabilities to isolate or quarantine the malicious insider upon detection.

Fool Malicious Insiders into Revealing Themselves

Deceptive Microsoft Office Beacon Files also enable organizations to create fake Microsoft Word docx files and Excel xslx spreadsheets that can be customized to look like any other Word or Excel document that might be on an organization’s endpoints. Using a proprietary Illusive technique, creation of these deceptive files with headers, footers and an organization’s typical iconography can be automated and distributed at strategic locations across thousands of endpoints with almost no additional IT overhead. These files will be hidden on endpoints in such a way so that only someone who is looking where they shouldn’t would find them; this prevents deceptive files from disrupting normal business and also provides a high-fidelity warning signal, since only a malicious user would be attempting to find and access these files. Illusive also offers a variety of pre-existing templates that organizations can further customize so that leveraging this type of deception is as efficient and effective as possible.

Microsoft Word and Excel documents often contain credentials and other confidential information that provide both internal and external attackers with the keys to move laterally towards machines, systems and applications that contain critical data. In many cases, attackers will automate this process using malware that crawls the network looking for documents with those exact data parameters. In response to this common attack trend, Deceptive Microsoft Office Beacon Files can be automated to create and contain deceptive data, such as fake password lists, that an attacker would expect to find within a real version of such a file. This further deceives and wastes attackers’ time as they try to leverage this information to move laterally. Once an attacker attempts to use the fake data they were lured into stealing to gain access to an account or system, the organization is notified.

Illusive Networks Deceptive Microsoft Office Beacon Files expand the deceptive attack surface to the Microsoft Office documents that nearly every organization leverages for word processing and tabular data storage to surgically identify insider threats and also force intruders to reveal themselves.

Find out more about Illusive Deceptive Microsoft Office Beacon files in our datasheet about the feature here, and learn more about the wider deception solution this feature is a part of here.