Improve Detection using HoneyCreds

Perhaps you have heard of the MIT CSAIL AI2 program and the claim of detecting 85% of attacks. According to Wired, the program uses logs, which means the attack has already happened. It will probably be a while before we can download Open AI2, so until then we need a strategy to better detect attacks. Increasing defenders are turning to variations of a HoneyCred system.  According to an excellent GIAC Gold paper authored by Scott Smith:

"Honey credentials (or HoneyCreds, Honey Hashes, and/or Canary Credentials, 
depending on whom you ask) are a relatively new application of the Honeytoken concept
that has gained traction in web-facing login security.  As the frequency and sophistication 
of brute-force attacks has increased, network administrators have taken to including faked logins and passwords within lists of legitimate credentials.  They are mixed with 
legitimate credentials, salted and hashed, and made readable by root only."

Another advantage is privileged accounts:

HoneyCreds may also be used to prohibit remote access from super/elevated 
privilege users.  Since root or administrator accounts should never be able to login via 
web services, an attempt of their logging in is a likely an indicator of attack.  A DenyAll 
ruleset can be written in these cases, with logging of all attempted passwords for later 
review. 

 Much of the material in Scott's paper is based on an Internet Storm Center blog post by Mark Baggett, (Twitter:@markbaggett) using the runas command:

First, I ran the following command to create a fake microsoft.com administrator record:
runas /user:microsoft.com\administrator /netonly cmd.exe

Then, when prompted for the microsoft.com administrator I can provide any password that I want.  In this example I typed "superpass".

Here is what you type to create those credentials.
runas /user:linux.org\root /netonly cmd.exe

Once again, when prompted for the root user's password, I can enter anything I want.  For this example I choose "notreallythepassword".   NOTE: You will need to leave those command prompts running on your system to keep the credentials in memory.

Then Mark ran a tool called Mimikatz to dump clear text passwords from memory. The middle arrow is the admin account he created with admin and superpass.

You can learn more about Mimikatz and hash passing by watching Raphael Mudge's Youtube video on the topic.

If you are interested in learning how to automate this and other common tasks with Python then keep your eyes open for Mark's course, SEC 573, Python for penetration testers, it will run in Berlin in June and Vegas in September.  Attackers and Defenders will learn the essentials of Python, networking, regular expressions, interacting with websites, threading and much more.  This will prepare you to run and modify tools like OpenCanary. Plus, I have an inside tip Mark is planning to add a 6th day to the course to give even more tips for defenders.

HoneyCreds are an example of threat hunting. Rob Lee will be giving a talk on Threat Hunting August 2 at SANS Boston. Stephen Northcutt is an advisor for the SANS Technology Institute, a cyber-security graduate school and chair of the upcoming SANS Boston 2016, August 1 - 6 where he will be teaching MGT 512, Security Leadership Essentials.