The “Attacking Active Directory Game” is part of a project where our researcher Ondrej Lukas developed a way to create fake Active Directory (AD) users as honey-tokens to detect attacks. His machine learning model was trained in real AD structures and can create a complete new fake user that is strategically placed in the structure of a company.
Hidden and waiting to be used, this honey-users are meant to be used as detections when they are chosen by attackers to advance their attacks. Anyone using a honey-user is considered an attacker.
Your goal in the game is to attack a real AD system and choose users from the AD structure to accomplish the next step in your attack.. The purpose of the game is to help us evaluate how good is the placement of the our honey-users. If you pick a real user you win because you are not detected, if you pick a honey-user you lose because you were detected.
Would you be able to spot which users are real and which are generated? Try it now at the bottom of the page and help us with the research.
Why you created the game?
To estimate the quality of a machine learning models you usually use the ground-truth labels to compute several metric functions. In the case of the AD structure with fake users generated by the generative ML model, there are no ground truth labels.
In such generative models, a popular approach is to compare the generated object with others from the domain and evaluate how similar they are. This measurement is good to know if our model generates AD graphs similar to the real ones, but is not enough to know if the honey-users are well placed. In the Active Directory Honeypot project, we then need to take this evaluation one step further as the generated objects are meant to trick the human decision process. In order to evaluate our model from the security perspective, we need to let human attackers interact with the generated AD structures and monitor that interaction.
Threat Model
Active Directory (AD) is a core component of Windows Server infrastructure. It holds sensitive data about users, devices, access rights, and other resources within the environment. For that reason, it is a highly valuable target inside the Windows Server. Most of the defense mechanisms focus on preventing attacks from the outside world. While detecting and mitigating such threats is a difficult task, when it comes to attacks from the inside, the complexity is even higher. Because of the design of the AD, any member of the domain can read the content of the AD without having to obtain special privileges. Therefore, breaching any account can result in access to plenty of sensitive data and additional information for further attack planning. Such an approach is referred to as AD reconnaissance. Once the attackers gain access to an unprivileged account, they can it to move laterally within the domain towards more valuable targets and subsequently towards complete control over the organization. Detection of such attacks is incredibly difficult as it is almost impossible to differentiate between the malicious activity of the attackers and benign interaction between the normal users and the AD. We proposed a honeypot based approach for the detection of intruders in the AD.
How can honeypots help to mitigate this danger?
Honeypots are a well-known form of passive security measure. They come in various forms and shapes but the main principle is always the same: It is a tool/service/token which imitates the real objects in the environment and which triggers alert upon interaction. By design, no benign user should ever interact with the honeypot which means that anybody in contact is directly marked as an intruder. One of the benefits of honeypots is that they are easy to deploy and maintain. However, being decoy targets, the success or failure of a honeypot depends on the ability to hide its true nature until the alarm is triggered. Once the attacker finds out that the honeypot is not a legitimate object, they can avoid it which results in no detections. Therefore, the objective when deploying honeypots is to minimize the probability of being discovered while maximizing the chance of interaction. In the context of AD, this means placing it such that the positioning makes the intruder believe that the honeypot is a high-value target worth interacting with.
Placing Honeypots with Machine Learning
In our AD Honeypot project, we use the power of graph neural networks to analyze the complex structure of the AD graph and determine where honeypots should be placed. The proposed model is able to produce placements with the same mathematical properties as the original structures. In other words, the positioning of the honey tokens is meaningful in the context of the underlying structure which fulfils the first condition of a successful honeypot: remain undetected. As for the second objective, attract the intruder’s attention, such quality is impossible to measure with a metric as it is dependant on the decision making process o the rational attacker and other external factors. Such evaluation is the core part of our Evasion game.
The Evasion Game - Humans vs Machine Learning Model
In our “Attacking Active Directory Game", the participants are given access to an unprivileged user in a real Active Directory server of a small organization, that is enriched with several honey-tokens. Each participant plays the role of the intruder and as such, they must perform an AD recon attack while remaining undetected. The goal of the game is to pick the best three users from the AD to fulfil three attacks. Each participant starts with a credit of 3 USD (for real) and is asked to achieve three different objectives. For each objective, the attacker should chose a user from the AD domain. If the attacker selects a user which is unsuitable for the objective or is a honeypot, they lose 1 USD. Otherwise, they keep the credit. Upon finishing all three objectives, any remaining credit will be given to the Safe the Elephants Fund. The main goal of the experiment is to evaluate the proposed model output in a real-world scenario with the rational attackers.
I want to play!
To play the game and help us and the elephants, fill this form and use the data we will send you by email.
Please, do not attack vulnerabilities in the AD server, only query it to gain information about the structure.