Trapping a True Cyborg

As a culture, we have read and watched so many stories about cyborgs that we may have trouble remembering that they’re works of fiction. Schwarzenegger seems real enough, right? He’s a cyborg, a person with mechanical elements built into his body, extending his physical abilities extended beyond normal human limitations. The Terminator has computers welded into his steel skull and runs around killing people.

Perhaps all of this sci-fi overstimulation has led us misunderstand the essence of the cyborg, however. While we may one day see half-man/half-machine robots doing our dirty work, in reality the cyborg is already here. If we look carefully, we can see human powers amplified by machines in the execution of cybercrimes. Certainly, this would be a takeaway from the ambitious honeypot exercise recently completed by the firm Cybereason.

In its day job, Cybereason offers a cybersecurity data analytics platform including endpoint detection and response, next-generation antivirus, and active monitoring services. To gain a better understanding of how cybercriminals actually operate, they staged an elaborate hoax intent on tricking malicious botnets.

Israel Barak, CISO of Cybereason

“It’s imperative to understand how cyber criminals must function at scale,” said Israel Barak, Chief Information Security Officer, Cybereason. “They want to make as much money as possible. Like all the rest of us, they have only so many cycles in a day. They can’t waste time trying to break into every target manually. They rely on bots to do their advance work.”

The project, dubbed “Operation Honeypot,” involved the creation of a fictitious financial services company. The project’s operational goals including gathering intelligence on the tactics, techniques and procedures used by cyber criminals to harvest proprietary information on financial services companies. Cybereason created traps on the dark web with the usernames and passwords of the fake firm’s website’s Remote Desktop Protocol (RDP) in an attempt to lure hackers. This resulted in zero activity, unfortunately.

Simultaneously, thousands of brute force attempts to crack the servers were unsuccessful due to strong encryption. After Cybereason simplified and weakened the passwords, they witnessed an intrusion in less than two hours. The bots created persistence by establishing backup user accounts. Several days later, actual human hackers entered the environment using the persistence accounts and set up the environment for data theft. Their efforts led to the theft of 3GBs of data over a 4-6 day timeframe.

The Honeypot project reveals the existence of an actual cyborg—a human attacker with extraordinary powers of detection and seeming x-ray vision, a human being who can see through a million walls at the same time. “We have never seen bots of this level built to assist a human attacker, nor have they been commoditized to this degree,” Barak noted.

Cybereason researchers learned that cyber criminals are using automated bots to support crimes such as spam campaigns and data mining. They rely on bots for multi-purpose breaches that lay the foundation for human attackers to extract data and intellectual property. Barak commented, “The automatic exploitation in seconds means defenders will likely be overwhelmed by the speed at which the bots infiltrate their environment. The increasing automation of internal network reconnaissance and lateral movement is an even larger concern.”

Cybereason offers a solution to the bot attack as advance team for a human attacker. “Our approach to is to isolate the threat and observe what they are doing. We stop the threat from spreading,” Barak said. Their solution notifies SecOps and provides visibility into what the attacker is doing.

“Instead of being reactive and, say, re-imaging an infected server, let’s isolate the server and watch what the attackers are doing. Then, with the attackers thinking they’re in, you can let them waste their time,” he added. “On the other hand, if you re-image the server right away, you’ve told the hackers what to avoid next time they attack. This becomes an endless game. It’s not a game anyone will win.” Except maybe, the cyborgs. They’re coming…