Decoy credentials

Decoy credentials are a powerful tool in a deception team’s toolbelt because attackers love stealing credentials to further their attack. While different sources report differing percentages, research (1, 2, 3) indicates that stolen credentials account for up to 35% of initial compromises, and are found in some way in up to 77% of attacks. This post will explore ways defenders can exploit attackers’ reliance on stolen credentials to catch them more quickly.

Permanent Amazon Web Services (AWS) Application Programming Interface (API) decoy key

Permanent AWS API keys can be created using the IAM service. Permanent access key IDs start with the prefix AKIA, followed by the rest of the key content. In order to create a permanent API key, follow the steps below in the AWS console:

• Search for the IAM service and “IAM”
• Click “Users” » “Create User”
• Enter desired name and click “Next”
• Click “Next”
• Click “Create User”
• Click on the created user
• Click “Security Credentials” » “Create Access Key”
• Check “Command Line Interface” » “I understand…” » “Next”

Once the API keys are created, they need to be put in a place that an attacker might expect to find them. Most developers store their AWS API keys in one of two places: the credentials file in the .aws/ directory on their computer, or in environment variables. If keys are stored in either of those places, most tools that developers work with will “just work”, as the tools are configured to look in both places and use the keys it finds. Most attacker tools search those same locations for keys they can steal.

In some ways, these API keys are in no way different from any other API key created in the AWS console. However, if the key is created solely for the purposes of being stolen and used, any attempt at using it should be treated like an alert. This allows a security team to create API keys that look real - because in a sense they are real - but should never be used. With this in mind, the key can be given limited (ideally zero) permissions, rendering it harmless if it is stolen. Then the team can monitor AWS logs in CloudTrail and treat any log containing that key as an indicator of malicious activity.

The reason decoy credentials are so helpful in detecting security incidents is that they are so specific. CloudTrail logs are often incredibly noisy; even a small AWS environment generates hundreds to thousands of logs per minute. Because there is no legitimate reason the decoy keys should be used, instead of looking through thousands of logs and trying to determine which ones make sense given the context of the environment, decoy keys allow SOC analysts to operate on the knowledge that any log involving the decoy is suspicious.

Temporary AWS decoy key

While permanent AWS API keys can be effective as decoys, they may not “fit in” to an organization’s engineering practices. Permanent API keys, as their name suggests, do not expire; this means if they are stolen, they can be abused by attackers until and unless they are deleted. To address the risk permanent API keys pose to its customers, Amazon created a service that can create API keys that expire after a set amount of time. Many security-conscious organizations prefer these API keys because they limit the amount of damage an attacker could do with the keys; the total lifetime of the key, minus the time between its creation and an attacker stealing it, leaves the attacker a limited amount of time to abuse the key’s permissions. Temporary access keys begin with the prefix ASIA (as opposed to the aforementioned AKIA for permanent keys) which makes them immediately recognizable to attackers familiar with AWS. While the process to create a temporary AWS API key is a little more involved, its steps are listed below:

• Search for the IAM service and “IAM”
• Click “Users” » “Create User”
• Enter desired name and click “Next”
• Click “Next”
• Click “Create User”
• Click “Roles” » " Create Role"
• Click “Custom Trust Policy” » “AssumeRole” » “Add”
• Select “IAM Users”, enter account and user information, click “Add Principal”
• Click “Next”
• Click “Users” » created user
• Click “Add Permission” » “Create Inline Policy”
• Search for “assume”, click “AssumeRole”, click “Specific”, click “Add ARNs to restrict access”
• Enter account information, click “Add ARNs”
• Using the awscli tool in a terminal or command prompt, enter the command aws sts assume-role –-role-arn "arn:aws:iam::ACCOUNT_NUM:role/ROLE_NAME" -–role-session-name "SESSION_NAME"

Other than the creation process and the key prefix, permanent and temporary AWS keys are mostly the same. They are still typically stored in either the credential file in the .aws/ directory, or in environment variables, as shown below.

The process of using the keys and monitoring AWS logs for malicious activity is the same as before. Screenshots demonstrating the temprary key’s use and the resulting logs are shown below.

Putting it all together

The steps shown above can be automated as an in-house decoy creation tool. Alternatively, commercial products offer ways to deploy decoy keys to a machine. Some products only support permanent keys, others support temporary keys; which product is best will depend on what types of decoy keys make the most sense to deploy in an organization’s environment. By combining an in-house or commercial decoy creation tool with an organization’s fleet management tool, decoy tokens can be placed in strategic locations across an entire fleet in a matter of minutes. This can enable a security team to quickly and efficiently pinpoint the source of a compromise in the event an attacker uses one.

AWS is just one of nearly endless platforms whose API keys could be used as decoys. Deception teams should pay special attention to how an application’s keys are normally stored and used, and should plant decoys in places as close to “normal” as possible to ensure that attackers discover them during the internal reconnaissance phase of their attacks. While future posts might explore alternatives to AWS for API key decoys, the strategy of creating and monitoring key use can be a very effective way to detect attackers.