Full Report
In this BHIS podcast, originally recorded as a live webcast, we cover some new techniques and tactics on how to track attackers via various honey tokens. We cover how to […] The post BHIS PODCAST: Tracking attackers. Why attribution matters and how to do it. appeared first on Black Hills Information Security, Inc..
Analysis Summary
This summary focuses on the tools and techniques mentioned in the context of tracking attackers, attribution, and cyber deception as discussed in the BHIS podcast episode.
# Tool/Technique: ADHD (Attacker Detection using Honey Tokens)
## Overview
ADHD is a tool or concept mentioned in the context of tracking attackers using various honey tokens, specifically focusing on Word Web Bugs for tracking within documents. It is presented in the context of enhancing attribution capabilities beyond standard honeypots.
## Technical Details
- Type: Tool/Framework (Related to Cyber Deception/Honey Tokens)
- Platform: Not explicitly stated, but implies environments where documents (like Microsoft Word) are used.
- Capabilities: Tracking attackers using specialized honey tokens (Word Web Bugs).
- First Seen: Context suggests usage around the time of the podcast (Early 2019).
## MITRE ATT&CK Mapping
(Since ADHD is a specific tool focused on deception for tracking, the mapping generally falls under collection or defensive evasion, enabling better attribution.)
- TA0014 - Persistence
- T1559 - Inter-Process Communication (If implemented via file system/network triggers)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (If the "web bug" beaconing connection is considered)
*Note: Direct, established mappings for esoteric honey token tools are often absent. The mapping here reflects the *purpose* of the technique used by the tool.*
## Functionality
### Core Capabilities
- Tracking adversarial activity through the use of specialized "honey tokens."
- Utilizing "Word Web Bugs" potentially embedded within document files (e.g., MS Word documents).
### Advanced Features
- Providing a mechanism for attribution by recording when and how a document containing the token is accessed or triggered.
## Indicators of Compromise
- File Hashes: [N/A - Tool specific download referenced]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [Indicators generated upon Web Bug trigger (Specific URLs/IPs used in the web bug tracking mechanisms would be organization-specific)]
- Behavioral Indicators: [Document access/opening followed by an external HTTP request triggered by the embedded web bug.]
## Associated Threat Actors
- Information not provided in the context regarding specific threat actors using ADHD, though the material is geared toward defenders tracking potential threat actors.
## Detection Methods
- Detection often relies on network monitoring to spot the outbound request originating from the "web bug."
- Signature-based detection might apply to specific payloads or file structures associated with the ADHD installation/configuration.
## Mitigation Strategies
- Strict network egress filtering to block unauthorized outbound connections, especially from document processing applications.
- Comprehensive monitoring of file access patterns for unusual external calls initiated by standard office files.
## Related Tools/Techniques
- Honey Tokens
- Honeypots (mentioned generally as inferior for attribution compared to specialized tracking tools)
- Thinkst Toolkit (mentioned as another relevant toolkit)
---
# Tool/Technique: Thinkst Toolkit
## Overview
The Thinkst Toolkit is mentioned as an awesome toolkit relevant to the discussion on tracking attackers and cyber deception, implying capabilities related to active defense and attribution.
## Technical Details
- Type: Tool/Framework (Cyber Deception/Active Defense)
- Platform: Not specified, assumed to target environments relevant to threat tracking.
- Capabilities: Active defense and potentially comprehensive threat tracking features.
- First Seen: Context implies relevance around 2019.
## MITRE ATT&CK Mapping
(General mapping for a deception toolkit focused on tracking and active defense.)
- TA0005 - Defense Evasion (If used to mislead further investigation)
- TA0003 - Persistence (If deployed as a persistent monitoring/deception mechanism)
## Functionality
### Core Capabilities
- Providing tools specifically designed for active defense strategies.
- Facilitating the tracking and attribution of adversaries.
### Advanced Features
- Not specified, but implied to be robust as it's highlighted as an "awesome toolkit."
## Indicators of Compromise
- [N/A - Specific IOCs for the general toolkit are not provided in the context.]
## Associated Threat Actors
- [N/A - Associated with defenders/security professionals focused on attribution.]
## Detection Methods
- [N/A]
## Mitigation Strategies
- [N/A - This is a defensive tool.]
## Related Tools/Techniques
- ADHD (Mentioned alongside it)
- Cyber Deception Techniques
---
# Technique/Concept: Cyber Deception for Attribution
## Overview
The discussion emphasizes the need to move beyond standard honeypots toward more effective methods, like honey tokens (e.g., Word Web Bugs), specifically to achieve better *attribution* of threat actors.
## Technical Details
- Type: Technique/Methodology (Active Defense/Incident Response Support)
- Platform: Enterprise environments where documents and network activity occur.
- Capabilities: Gathering high-fidelity data about the attacker's identity, TTPs, and infrastructure to enable attribution.
- First Seen: Conceptual technique, but the specific implementation methods discussed are current (as of the podcast date).
## MITRE ATT&CK Mapping
- TA0009 - Collection
- T1560 - Archive Collected Data (Attacker often bundles stolen data with tracking mechanisms)
- ATT&CK Tactic: Resource Development (If the defense is seen as *developing* a resource—the trap—to gain intelligence.)
## Functionality
### Core Capabilities
- Employing deceptive artifacts (Honey Tokens) designed to "phone home" upon interaction.
- Gathering actionable intelligence necessary for attribution, which standard monitoring often misses.
### Advanced Features
- Leveraging subtle tracking mechanisms (like Word Web Bugs) that blend into legitimate document workflows.
## Indicators of Compromise
- Behavioral Indicators: Outbound network connections originating from unusual user contexts or documents being accessed outside of normal operational hours, indicating manual adversary interaction.
## Associated Threat Actors
- All threat actors encountered by the defending organization.
## Detection Methods
- Network traffic analysis for unexpected beacons or calls to external services triggered by deceptive assets.
- File system monitoring for access patterns on honey-token-containing files.
## Mitigation Strategies
- Investing in active defense and cyber deception programs focused specifically on intelligence gathering for attribution.
- Ensuring security teams are trained in analyzing telemetry generated by sophisticated deceptive mechanisms.
## Related Tools/Techniques
- Honeypots
- RITA (Mentioned in adjacent links, often used for network analysis supporting attribution)