Luring Attackers into a Dummy Network

In targeted attacks, attackers persistently pursue selected companies or organizations to steal their intelligence. Ransomware encrypts data to hold it ransom. Companies and organizations across the globe, including Japanese ones, are targeted by such attacks. What is a viable strategy to protect data from targeted attacks and ransomware in order to ensure business/operational continuity?
[Fujitsu Insight 2017 "Security" Seminar Report]

At this seminar, Daisuke Inoue from the National Institute of Information and Communications Technology (NICT) and Masahiko Takenaka from Fujitsu Laboratories spoke.

A Virtual Space for Luring Attackers and Exposing Their Behavior

Strategies to counter targeted attacks need data.

Daisuke Inoue
Director, Cybersecurity Laboratory,
National Institute of Information and Communications Technology (NICT)

Recently, we have seen massive malware infections and targeted attacks against companies and government agencies. According to 2016 statistics, more than 60% of attacks targeted IoT devices; 5% or less targeted Windows PCs. Attack's primary targets have shifted to IoT devices, such as webcams and broadband routers.

Conventional indiscriminate attacks attempted to infect PCs all over the world with viruses. NICT conducted a real-time global analysis of these attacks in a passive study by which we tried to understand the events occurring on the Internet at that moment in time.

NICTER: NICT's incident analysis center observes cyberattacks around the world in real-time.

NICTER Real-time Observation Report "NICTERWEB 2.0"

Still, we could not collect information on targeted attacks with this passive method. Targeted attacks go after selected companies or organizations, and an observation network designed for conventional extensive attacks cannot catch such attacks. Also, in some cases, attackers erase their footprints after completing what they intended to do. Therefore, records of attacks are unlikely to remain. Even if they did, however, such records would contain confidential information that companies or organizations could not submit.

Malware analysis of targeted attacks can reveal only the infection method employed for infiltration. Once malware has been used to put into place a backdoor, the attacker can attack manually and remotely. We must monitor the attacker's behavior to find out what occurs after infiltration.

Create a dummy network to lure attackers.

After concluding that a mechanism to lure attackers and observe actual attacks is necessary, NICT began research to develop STARDUST, a platform for luring cyberattackers.

STARDUST is a simulated network space that has been designed to lure perpetrators of targeted attacks. Behind networks actually used by a company or organization, STARDUST automatically generates parallel networks that simulate these real networks. Such parallel networks are given the same IP addresses as the real networks and include a few dozen to a few hundred Windows PCs, file servers, and DNS servers.

When an attacker sends an email with malware attached to a company or organization, STARDUST ushers the attacker into a parallel network through a wormhole created in the real network. Since the parallel network has dummy business document files and user environments, the attacker initiates the attack process, believing that infiltration has been successful. Thus, STARDUST enables active research by luring attackers and observing their behavior without being noticed.

STARDUST clears up three misunderstandings.

STARDUST has made three things clear. First, there was a common belief that targeted attacks were "highly advanced attacks with a government's involvement." When attackers' behavior was observed, however, they were merely executing commands in a specified order; frontline attackers may be 9-5 part-time workers.

Second, it has been said that "to avoid detection, attackers do not run network scans casually." It was widely believed that attackers did not need to scan networks because they would learn about the targeted company's/organization's network before infiltrating. This is completely wrong; attackers scanned networks after infiltration to examine the internal layout. This means that checking whether scans have been executed is an easy way to detect targeted attacks.

Third, there was also the misunderstanding that attackers "act carefully based on a good understanding of the behavior of employees at the targeted company/organization; therefore, system abnormalities could not be detected." Yet in fact, once inside, attackers check the list of executed applications or run a command to see shared resource information on Windows. Since ordinary desk workers do not check the list of executed applications, simple process monitoring can facilitate speedy detection of attacks.

Studying data from real attacks by real attackers has led us to think that more realistic, practical targeted attack countermeasures can be implemented.

The STARDUST R&D project took us more than five years to give shape to our ideas. We are now exploring the possibility of increasing the self-security sufficiency rate. Japan has excellent technologies, such as Fujitsu's high-speed forensic technology employed in STARDUST. We believe one of NICT's important missions is to evaluate such technologies in practical environments that we provide, strengthen domestically developed security capabilities, and introduce such capabilities to the world.

The Only Tool Available for Real-time Analysis of Attack Commands

The tool identifies attack commands from a huge volume of packets.

Masahiko Takenaka
Head of Security Research Laboratory,
Fujitsu Laboratories Ltd.

Because it is virtually impossible to completely protect systems against targeted attacks and other cyberattacks, companies and organizations must develop measures based on the assumption that their systems will be infiltrated. So, what should they do when a system is being attacked? The first part of the answer is to learn what happens when a system is infiltrated.

As Mr. Inoue explained, the malware used in targeted attacks may be captured, but it is difficult to analyze. Such malware will not infect systems if it recognizes that it is in a lab setting instead of a production environment. It will not even attack systems unless it connects to an external server and receives commands from it. How such malware works cannot be observed if it does not attack any systems.

To overcome this issue, we use STARDUST to lure perpetrators of targeted attacks and then allow such attacks to occur. Fujitsu's high-speed forensic technology conducts real-time analysis of how malware behaves. We take pride in the fact that this technology is the only one available that can separate commands to remotely control Windows PCs from packets and then monitor such commands in real time.

Attackers usually send commands to infected PCs remotely. When an infected PC receives a command, it starts sending packets to the next target in order to spread the infection. If recorded and stored, this will be a huge volume of packets. For example, if 2 TB of packets are stored daily, keeping 200 days' worth of packets is infeasible. In addition, analyzing such a huge volume of data is very difficult.

After infiltration, malware employs an application layer protocol, Windows SMB. This makes analysis very complicated. Information from multiple packets must be integrated to determine which commands have been used. Though you may think it might be possible to tell which commands have been used by looking at packets, in fact it is not that simple.

High-speed forensic technology can indicate the risk level, extent of impact, and overall picture of an attack.

Fujitsu has a technology called command-level forensic technology. Under STARDUST, this technology reconstructs remote control commands from a packet stream in real time. However, this is just one of its capabilities. The full-scale version of this technology reconstructs remote control commands, automatically analyzes such commands, and visualizes them.

Abstracting packets to the command level reduces the data volume to 1/1,000 or 1/10,000. Logs can then be stored for one or two years.

When investigating an attack, it is also important to identify the user who executed a command. Although doing this from multiple packets is quite difficult, Fujitsu's high-speed forensic technology can do it in a few seconds because it automatically, efficiently connects device operations with the user who operated that device.

Our technology has also learned commands that ordinary users rarely use, which enables attack risk levels to be ranked based on device operation-user relationships. Then, using this ranking data, high-risk operations and behavioral contexts can be analyzed to visualize the extent of damage and give overviews of attacks.

Our high-speed forensic technology has proven useful in production environments. For example, it can detect and analyze the WannaCry ransomware. For one corporate client, it successfully detected a variant of WannaCry and stopped the infection from spreading.

Taking advantage of this high-speed forensic technology, Fujitsu offers inspection services for systems currently under targeted attacks. The inspection results facilitate quick identification of the extent of damage, thereby enabling clients to prevent infections from spreading (e.g., by disconnecting devices that may have been infected).

  • Daisuke Inoue Director, Cybersecurity Laboratory,
    National Institute of Information and Communications Technology
  • Masahiko Takenaka Head of Security Research Laboratory,
    Fujitsu Laboratories Ltd.