Threat Intelligence Blog

Posted March 22, 2018

Organizations are faced with threats that range from annoyances to more sophisticated threats crafted by an adversary with intention and forethought on their objectives. The prevalence of exploit kits and malware and botnet toolkits being shared by bad actors across the Internet and Dark Net makes it easier for actors to build more sophisticated threats.

How can security teams disrupt adversarial activities more effectively?

It is no longer enough for our threat response to focus solely on detection and blocking. We need cyber defenses that will disrupt the threat activities of an adversary.

Security teams have adopted a multi-faceted security infrastructure consisting of firewalls, IDS/IPS, content-inspection, and behavioral analytics defense systems. This layered defense strategy provides protection for the majority of detectable threats that are found using a combination of signature-based and non-signature-based detection mechanisms.

An active defense posture builds on this foundation to disrupt threat activities of the adversary; it examines how an adversary may progress through a cyber kill chain and how we can impact the adversary, causing them to pivot to new TTPs or a different target entirely.

Figure 1: Typical actor activities during kill-chain progression

Figure 1: Typical actor activities during kill-chain progression

Increasing the time it takes for the adversary to progress through the kill-chain, the expertise required to launch a cyber attack, and ultimately the cost to execute should be additional security objectives.

Many solutions focus solely on one phase of the kill chain such as detecting or blocking C2 communications. But I recommend a broad-based approach to disruptive cyber defense mechanisms that can be applied across all aspects of the kill chain. For example, which phase of the kill chain are we disrupting? Which aspect of progression will have the most impact on the adversary?

Figure 2: Where disruptive techniques can be applied

Figure 2: Where disruptive techniques can be applied

There are two disruptive approaches to consider adding to your response strategy.


Camouflage: the act, means, or result of obscuring things to deceive an enemy by painting or screening objects so that they are lost to view in the background, or by making up objects that from a distance have the appearance of fortifications.




Deception: to mislead by a false appearance or statement.



Applying both of these techniques to cyber defense strategy can help:

  • Predicting Attacks
    • Ability to gather low-false positive threat intelligence on adversary tactics, indicators…etc.
    • Ability to more easily understand goals, motives, intent
  • Detecting Activities
    • Ability to gather more advanced detection when other protections fail
    • Early alerting and notification to operations without impact to business-critical systems
  • Disrupting & Responding
    • Easily engage with attackers and their TTPs
    • Easy reconnaissance on the attacks
    • Manipulation of behaviors and interactions that confuse, delay, or interrupt attacker’s activities
    • Increase the cost, expertise required, and impact on the attacker

There are at least two areas to apply camouflage and deception activities:

  • Network-Based
    • Interact with TTPs within the network (e.g. routers, firewalls, proxies)
  • Network-Endpoint-Based
    • Interact with TTPs at the endpoint systems (e.g. laptop, mobile, servers)


Network-Based Camouflage: Camouflaging unpatched servers from vulnerability discovery

Many IT & security teams are often unable to keep up with the continuous challenge of maintaining software patch levels on all servers (both external and internal). In some cases, there are business process impacts that must be considered before the team maintaining the server pushes an update to the operating system or application stack running on the server. These necessarily impact the velocity of patch updates and therefore while those decisions are being considered the servers may remain vulnerable to being exploited.

Network-based camouflage is another way to protects against certain types of vulnerabilities. This method involves obfuscation and camouflage by an intermediary network system configured to do so based on threat intelligence on the vulnerabilities and TTPs that may be used to exploit the vulnerability.

For example, the ROBOT vulnerability is a vulnerability of TLS Cipher settings that can be camouflaged as shown in the diagram below:

Figure 3. ROBOT Vulnerability Camouflage

Figure 3. ROBOT Vulnerability Camouflage


Network-Endpoint Deception Example: Server Decoys

In addition to camouflaging vulnerabilities on servers and endpoints, security teams can leverage deception techniques. This involves running various decoy systems that impersonate legitimate systems in an organization’s network that can act as an enticement to actors that may have be attempting to breach the perimeter or already have. The endpoint decoy can provide vital insight to the TTPs performed by those actors. As shown below, the decoys can be provisioned to provide attractive results for an adversary to explore and ultimately spend time considering the false information provided by the decoy. This increases the time the adversary is being watched and can provide useful intelligence on their objectives and ultimate goal.

Figure 4. Endpoint System Decoy

Figure 4. Endpoint System Decoy

There are other defense techniques that can leverage these two capabilities in useful and interesting ways and also extend the camouflage and deception options available to security teams. If you are considering threat responses beyond traditional mitigation steps in your environment I hope you found this background useful. To learn more about LookingGlass’ use of camouflage and deception techniques for threat mitigation, please contact me at @tweet_a_t or @LG_Cyber.


Additional Posts

Weekly Threat Intelligence Brief: March 27, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest ...

Weekly Phishing Report: March 20, 2018

The following data offers a snapshot into the weekly trends of the top industries being targeted by ...