Deception technologies, often referred to as Decoys, Honeypots, and Red Herrings, are assets that have been specifically setup to attract, deceive and discourage cyber-criminals. Such assets may include anything from servers, files, databases, applications, emails, user accounts, unused IP addresses, and so on. When these assets are accessed in some way, a real-time alert is sent to the administrators, or alternatively, an automated response could be initiated.
Deception technologies can be great for detecting new or undocumented threats, as well as providing invaluable insights into the movements and trends of cyber-criminals. Technologies, such as Honeypots, are relatively cheap and easy to deploy, regardless of the environment you are using. For example, if you are using Active Directory, you could start by simply renaming the default Administrator Account and then creating a new (fake) account with the username “Administrator”. You will then need to enable auditing in Active Directory. However, native auditing in AD has a number of drawbacks when it comes to alerting on specific changes in real-time.
As such it would be better to use a change auditing solution for monitoring access to the Honeypot. Alternatively, you could install a specialized deception solution, however, a lot of vendors tend to leave the industry within a couple of years as it’s not a particularly lucrative field.
DCAP (Data-Centric Audit & Protection) solutions provide a suite of tools that are designed to detect, alert and respond to anomalous events in real-time. Since these tools are used to monitor user events with or without the use of Honeypots, they are more likely to be supported in the future.
While Honeypots may be technically easy to setup, there’s a few things which you will need to consider when doing so. You will need to determine the reason(s) for deploying the Honeypot. Is it for early warning or forensic analysis? What type of assets are you focusing on? Who will maintain the Honeypot? How close will you mimic real assets? Will you be using real or emulation software?
Naturally, you don’t want to tell too many people about it. The Honeypot needs to be insecure enough to allow it to be hacked, but secure enough not to give the game away. It’s a good idea to mimic real assets and ports and ensure that any monitoring tools and their logs are hidden from the hacker. At least one person should have access to the decoy account, and they should be responsible for installing, configuring and maintaining it.
Organizations are constantly defending themselves against hackers. However, using Honeypots it’s possible to turn the tables and beat them at their own game. After all, the last thing a hacker will expect is to download a copy of the “crown jewels” only to find that it contains malware, which installs itself on their device. This malware could include ransomware, trojans or spyware, such as keyboard loggers. It might even be possible to use a form of malware to expose the hackers’ true identity. Another technique employed by security experts is to trap the hacker in a “Tar pit” – otherwise known as a “Sticky Honeypot”. In simple terms, a “Tar pit” introduces delays to network connections, which is designed to slow the attacker down in the hope that they become fatigued and give up.
Given the obvious benefits that deception technologies can bring, it is surprisingly uncommon to see them being used. Instead of always being on the back-foot, isn’t it time we fought back?