30.03.2020
Deception technology explained
The term Deception technology might be unknown or obscure to you, and that is perfectly normal considering it refers to one of the latest trend in the cybersecurity field. Its concepts are however quite intuitive and easy to understand, and based on other well-known technologies such as Honeypots.
Basic idea
To put it simply, imagine you left something that will seem attractive in your enterprise network to any malicious actor, but booby-trapped in some way. Now hide it a little so only people that are tech-savvy and specifically looking for interesting or out-of-place data can find it. For example, a file with a name like DomainPasswords.xlsx, containing erroneous credentials. Keep the persons on charge of the IT of this enterprise informed of the presence of this decoy. Then, just wait for somebody to trigger it. And voila! Should the trap be sprung, the probability of false positive should be very low, and the person caught most likely nefarious.
So, what is it about exactly?
All the fake assets or simulated services are part of the deception technology. We can group them in the following classes:
- Honeypots
- Honey-tokens
- And the data that can fool an attacker into the honeypots, the breadcrumbs
Honeypots are servers seemingly part of infrastructure, but isolated and closely monitored. The literature also refers to honeypots as decoys. They can take several aspects. Their operation systems can vary, as the services shown to the attacker. These honeypots can provide either low or high interaction. A low interaction honeypot will just emulate legitimate services that a given server is expected to run,accepting only the most basic commands. This makes the honeypot more secure, but it also reduces the information that can be gathered form the attackers. In the other hand, a high interaction honeypot will run the full-fledged service, recording all the attacker actions to give the security analysts detailed data on an ongoing attack. These high-interaction services can comes with a higher security risk and maintenance cost.
Honey-tokens are conspicuous data dropped in sensitive area of a network. One particularity is that they are stand-alone decoys, and requires little to no backend at all to work. That attackers, by exploiting these data, are tricked into sending information about themselves to the logs management system. These honey-tokens often take form of office or PDF files on network shares or workstations, with for example erroneous credentials for content, or crafted metadata that will make the office application generate a network connection to a monitored service.
The breadcrumbs are data deployed on real assets and that will lead an inquiring attacker to the honeypots. For example, simple DNS names hinting to high-value targets but whose records actually point to the honeypot. Or fake admin credentials or password hashes injected into the LSASS process, which when discovered and used by the attackers will generate an alert. These are called honey credentials. Connection shortcuts (RDP) can also be used for the same purpose.
A classic strategy when dealing with deception detection is the following one:
- Installation of the deception item
- An attacker manages to breach into the company network
- The attacker triggers a deception tool
- The analysts receive an alert which is very likely a true positive
- The analysts extract relevant information from the alert and localize the attacker
- The attacker is stopped