Illusive Blog March 22, 2018

US CERT TA18-074A & Use of Cyber Deception on Dragonfly

By Ofer Israeli

On March 15, 2018, US CERT (U.S. Computer Emergency Readiness Team) issued a Technical Alert about “Russian government cyber actors” conducting a concerted cyberattack campaign against energy companies. Specifically, they gained access through small organizations connected to the target companies and then “conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

US CERT does a great service in providing detailed information about the characteristics and indicators of the attack campaign (which appear to be conducted by or related to Dragonfly), recommendations for how energy organizations can determine whether they’ve been a victim of these activities, and actions that can be taken to resist these and similar attacks. However, I want to point out a significant omission from the US CERT guidance: Distributed deception technology is an underutilized weapon in resisting and countering these attacks—and all APT-style targeted attacks.


Cyber deception: The missing recommendation for countering Dragonfly

This memo is important—not only as a warning about the potential for catastrophic, near-term disruption of public critical infrastructure services—but also for what it reveals about the nature of targeted attacks. If you substitute “ICS” above for “trade clearing systems”, “health information exchanges”, “domain name server”, OT device or any other essential IT system, you quickly see that this event serves as a warning to many industries, not only the energy sector.


Many security vendors can rightfully take this opportunity to highlight the value of their particular product; indeed, building a secure infrastructure has many, many components—including both “people” and “process”, not just the “technology” aspects. But distributed deception technology stands alone in its value for detecting and stopping these attacks because, rather than blocking particular threat signatures and countering specific tools and tactics, it addresses the underlying architectural elements of targeted attacks:

  1. The necessity of the attacker to discover/inspect/understand the environment and
  2. The necessity of the attacker to move laterally from an initial point of entry to the high-value systems being targeted.


By addressing these underlying elements, distributed deception solutions provide a basis to be adaptive as specific threat tactics change.


Five key point on how distribution deception stops critical infrastructure attacks


Various deception vendors offer somewhat different approaches but from the perspective of the Illusive Networks platform, here is a summary of why deception is an essential part of the defense arsenal.


  1. Deception is built to detect lateral movement

    Illusive saturates the entire endpoint and server environment with false information that appears useful to the attacker in discovering and moving through the network. As soon as the attacker tries to use false data, he (or she) is caught.


  2. Deception combats misuse of credentials

    As the US CERT alert details, attackers use many tactics to acquire valid user credentials throughout the attack process, including the use of pre-built tools such as CrackMapExec. Illusive discovers where powerful credentials reside across the environment, can deploy deceptive credentials in those areas, and detect attackers when they try to use these fictitious credentials. It can also can help defenders preemptively reduce the silent proliferation of credentials that occurs during the normal workday.


  3. Deceptions are tailored to specific business or operational risks

    Illusive automatically designs deceptions that are tailored to mimic the specific naming conventions and usage patterns of each organization—down to the individual system level. The details in the US CERT alert are so important because once a threat is modelled, deceptions can be built in anticipation of the specific things a threat actor would be looking for. In this case, examples of relevant deceptions could include:

    • Fake diagrams of the ICS environment
    • Fake connections (within third party suppliers) to the energy companies that would be primary targets
    • Fake credentials and interfaces to ICS management tools
  4. Deceptions can be used to better secure “untouchable” systems, such as ICS

    Many devices and systems can fall into this category, including mainframes, operational technologies (OT) used in manufacturing, and even legacy custom Unix platforms that support custom enterprise application. These systems are particularly susceptible to attack because administrators are often reluctant to perform software upgrades for fear of causing critical system outages. Between scheduled maintenance windows, a deception approach can detect malicious movement toward these systems without having to install anything directly on them.


  5. Distributed deception scales and detects the attacker anywhere

    ICS components—similar to ATM machines, card payment systems, or medical devices in other environments—are highly distributed. While these systems can be impacted through centralized management systems, the devices themselves also must be protected. Honeypots can be useful for in-depth study of attacker behavior, but cannot be distributed widely enough to provide the web of awareness needed to detect lateral movements from any one point to any other.


We are working hard to raise the level of awareness about the unique and ground-breaking role that deception strategies can play in helping to ensure the availability of critical services and infrastructure. Join us by learning more about how deception could help your organization. Request a demo, or read more: