Full Report
In this BHIS webcast, we cover some new techniques and tactics on how to track attackers via various honey tokens. We cover how to track with Word Web Bugs in ADHD and […] The post BHIS Webcast: Tracking Attackers. Why Attribution Matters and How To Do It. appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: ADHD (A Tool Mentioned in the Context of Tracking Attackers)
## Overview
ADHD appears to be a tool or framework associated with Black Hills Information Security (BHIS) used in conjunction with tracking attackers, specifically mentioned in the context of utilizing Word Web Bugs for attribution tracking and cyber deception.
## Technical Details
- Type: Tool/Framework (likely related to Cyber Deception)
- Platform: Not explicitly stated, but implied to operate within enterprise environments for tracking document interaction (likely Windows/Office environments).
- Capabilities: Facilitates tracking attackers using Word Web Bugs.
- First Seen: The webcast discussing this was originally recorded live on 2/28/2019.
## MITRE ATT&CK Mapping
*The direct mapping for "ADHD" as a tool is not provided, but its listed function aligns with the following concepts:*
- **TA0007 - Discovery** (If used to learn about the environment post-access)
- **TA0011 - Collection** (Data is being collected via interaction)
- **TA0009 - Collection** (If deployed to gather specific data points)
- **T1560 - Archive Collected Data** (Implied data collection)
- **T1566.001 - Phishing: Spearphishing Attachment** (If the Word Web Bug is delivered via email)
## Functionality
### Core Capabilities
- Tracking the interaction with specific documents (Word Web Bugs) to achieve attribution.
- Integration with Cyber Deception practices.
### Advanced Features
- The mention alongside legally-tinged defense discussions suggests capabilities designed to gather intelligence that might be actionable in a legal context, far beyond standard forensic artifacts.
## Indicators of Compromise
*Indicators focus on the mechanism mentioned (Word Web Bugs) rather than the tool itself.*
- File Hashes: [N/A - Tool download link provided]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A - Web bugs rely on external network callbacks]
- Behavioral Indicators: Observing network connections initiated by Office documents that should not be making external calls (tracking the web bug beacon).
## Associated Threat Actors
- Associated with defenders/security researchers utilizing BHIS methodologies (John Strand) for active defense and attribution.
## Detection Methods
- Signature-based detection: [N/A for the tool itself]
- Behavioral detection: Monitoring outgoing network connections initiated by Office applications (especially when documents are opened offline or from unexpected sources).
- YARA rules: [N/A]
## Mitigation Strategies
- Strict application security policies that restrict macro execution and external content loading in documents.
- Network monitoring for unusual outbound traffic originating from document processing applications.
- User training regarding opening untrusted documents containing external content.
## Related Tools/Techniques
- **Thinkst Toolkit:** Mentioned alongside ADHD, suggesting complementary use in deception environments.
- **Cyber Deception:** The overarching strategy employing tools like ADHD.
- **Honey Tokens / Web Bugs:** The specific mechanism utilized by ADHD for tracking.
***
# Tool/Technique: Thinkst Toolkit
## Overview
The Thinkst Toolkit is an explicitly mentioned "awesome toolkit" used in the context of tracking attackers, likely providing physical or digital deception assets for attribution.
## Technical Details
- Type: Tool/Framework (Physical/Digital Deception)
- Platform: Not explicitly stated, but implies use across enterprise environments for deception.
- Capabilities: Provides components for tracking attackers as part of an active defense strategy.
- First Seen: Discussion context is from a webcast originally recorded on 2/28/2019.
## MITRE ATT&CK Mapping
*Since Thinkst often deals with physical/digital sensors and deception:*
- **TA0005 - Defense Evasion** (Used by defenders to observe attacker evasion tactics)
- **TA0008 - Lateral Movement** (If deceptive credentials/tokens are deployed)
- **TA0009 - Collection**
- **T1559.002 - Inter-Process Communication: Named Pipes** (Potential use if deploying internal deception tokens)
## Functionality
### Core Capabilities
- Facilitating active defense and cyber deception operations.
- Assisting in achieving attacker attribution.
### Advanced Features
- Likely involves tangible or tightly integrated digital assets (like browser implants or physical tokens) to lure and trace adversaries beyond simple file monitoring.
## Indicators of Compromise
- Indicators would be specific to which component of the Thinkst toolkit was deployed (e.g., proprietary hardware fingerprints or specific payload artifacts).
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: [N/A for the tool itself, dependent on deployed sensor configuration]
- Behavioral Indicators: Unauthorized access attempts against deployed deception assets.
## Associated Threat Actors
- Defenders and Security researchers utilizing advanced attribution techniques.
## Detection Methods
- Detection focuses on identifying the unique artifacts left by deployed Thinkst sensors or anomalies caused by their interaction with the environment.
## Mitigation Strategies
- Standard security hardening (as the deployment and use of these tools are for defensive purposes).
## Related Tools/Techniques
- **ADHD:** Mentioned in parallel as a complementary tracking technique.
- **Cyber Deception:** The methodology driving the use of Thinkst.
***
# Technique: Tracking Attackers via Honey Tokens (General)
## Overview
The webcast focuses on advanced techniques for tracking attackers specifically using various 'honey tokens' to achieve attribution, noting that standard honeypots are often insufficient for this purpose.
## Technical Details
- Type: Technique
- Platform: Enterprise environments (endpoints, network, cloud)
- Capabilities: Gathering detailed forensic evidence and attribution data when an attacker interacts with a decoy artifact.
- First Seen: Discussion context is from a webcast originally recorded on 2/28/2019.
## MITRE ATT&CK Mapping
- **TA0009 - Collection**
- **T1557 - Fingerprint User Session Prediction** (Relevant for tracking interaction)
- **TA0004 - Privilege Escalation** (If tokens lead to credential theft)
- **TA0005 - Defense Evasion** (Used by defenders to observe adversary behavior)
## Functionality
### Core Capabilities
- Deploying low-interaction artifacts (tokens) designed to "call home" when accessed by an adversary.
- Providing concrete evidence linking hostile activity back to a specific actor or campaign (attribution).
### Advanced Features
- Use of specific deception methods like Word Web Bugs within ADHD.
- Understanding the legal ramifications of such tracking.
## Indicators of Compromise
- Network Indicators: External callback connections initiated from the network segment where the token was placed immediately following document access or token interaction.
- Behavioral Indicators: Unusual file access patterns or remote access attempts on decoy files/systems.
## Associated Threat Actors
- Used by defenders to track sophisticated threat actors engaged in espionage or targeted intrusion.
## Detection Methods
- Network flow analysis focusing on atypical destination connectivity established by standard user applications (e.g., MS Office processes calling out to external HTTP/S endpoints).
## Mitigation Strategies
- Strict egress filtering to prevent internal systems from initiating connections to unknown or unusual external IP addresses.
- Rigorous validation of all external content loaded by productivity software.
## Related Tools/Techniques
- **ADHD** (Utilizes Word Web Bugs, a type of honey token).
- **Cyber Deception** (The broader field).