Deception strategies are not something new and have been used in mature Security Operations Centre (SOC) organisations for years. Although their principles and techniques have not evolved much over the years, they are still proven to be effective against new cyber threats.
Deception strategies are easily and quickly deployed and provide cost-effective detection measures for cyber threats moving across your network.
With the digital transformation, the “Bring Your Own Device” (BYOD), and IT/OT convergence, they have become particularly important, especially when you can’t install a detection solution on your endpoints.
In this publication, Our SOC team will highlight the advantages and explain how to start with simple deception techniques such as canaries and honeypots. The publication is meant for IT organisations with limited resources in terms of cyber security expertise or budget. It is also meant for cyber security professionals looking to enrich their capabilities with the tools they could use for detection purposes or during a cyber-attack.
Deception in cyber defence
Deception strategies are a set of technologies and techniques used in an IT environment with the objective of luring in an adversary.
For example, these technologies could allow an attacker to log in on a hardened and controlled environment, which looks like a real one, then allow you to capture any fraudulent activity that they will perform.
They are designed to appeal to adversaries who are always looking for low hanging fruit they can quickly exploit.
These ‘traps’ allow organisations to detect malicious activity by creating stronger signals that are often unseen by traditional solutions such as antivirus software. E.g., a hacker that obtained domain credentials and is connecting from machine to machine to get sensitive data (antiviruses are blind to that).
The objective of such strategies is twofold mainly:
- Early detection of attackers that operate under the radar between the traditional lines of defence (endpoints and firewalls for example).
- Collecting intelligence on the attacker’s behaviour and therefore provide a more efficient response.
In an era where time and speed are key in the cyber war, deception is a crucial aspect for one simple reason: reducing the time that an attacker will spend targeting your most critical assets and remaining one step ahead of the adversary!
Indeed, when implementing deception technologies such as honeypots, you will distract the adversary from your valued critical assets. During this time, you will learn how they operate, have more time to prepare your response and be able to get one step ahead.
Secondly, deception allows you to detect suspicious behaviours on your network in initial stages of a common attack scheme. In fact, they will be especially useful during the discovery and lateral movement phases of an attack (cfr. MITRE ATT&CK framework).
There are plenty of different technologies when it comes to deception such as honeypots, service emulations, canaries and honeytokens. In our case, we will focus mainly on honeypots and canaries as they are the most commonly used ones that exist both as off-the-shelf open source or commercial solutions.
A honeypot is a computer security mechanism set-up to detect and counteract attempts of unauthorised use of information systems. There are two types:
- Passive: nothing more than a lure (e.g., an open port).
- Active: gathers information from the attacker, updates firewalls, creates Indicators of Compromise (IoCs). Any action taken by the hacker is logged to be analysed later in time.
There are also internal and external honeypots:
- Internal: designed to help identify insider threats. They generate a manageable amount of logs and can easily help identify any unauthorised accesses.
- External: depending on the exposure of the honeypot, the amount of logs can become very important and could require additional modules (e.g. Log Correlation) but they can help understand a hacker’s behaviour. For example, you could create a honeypot subdomain to identify suspicious activity in order to implement defence mechanisms on your real subdomains.
Be warned: an external honeypot needs to be isolated from the rest of your infrastructure otherwise you risk letting the hacker in. In the case of an internal one, the hacker is already inside the network. It is therefore very important to take security into account during the set-up as in both cases, improper security and isolation could allow the hacker to gain a better foothold, nonetheless.
Canaries are files placed in areas where a normal user wouldn’t go. The token is inserted inside the file. These files are monitored and if a malicious actor opens the file, it will automatically trigger an alert. And although it doesn’t collect logs for later use, it does provide you with the certainty that someone is accessing something they shouldn’t. For example, a file "password.xls" placed on the desktop.
The main benefit of such a strategy is the ROI (return on investment). Indeed, they are still very effective with a low investment in time and resources.
As mentioned already, if properly designed, they will keep attackers away from your real assets, alerting your team and letting them learn and adapt their response strategy.
Secondly, they are adapted to both large and small organisations.
Finally, they are useful assets that will enrich your cyber security capabilities or SOC and help your analysts face an ongoing cyber-attack. Although, it should not be considered as a silver bullet and needs to be integrated into a comprehensive cyber security strategy.
As mentioned at the beginning of the article, the main use cases for implementing deception are detection and investigations.
Therefore, they will most often be used:
- In real-time: up and running on your network for detection purpose.
- During a cyber-attack: for cyber intelligence (IoCs) gathering.
Because a honeypot is a standalone detection component, it is particularly helpful in environment where a software cannot be installed on the information system.
While they can be deployed on any network, their value is even greater on networks with limited monitoring and event detection capabilities. Additionally, their portable and standalone design allows them to be deployed in parallel of your other services without impacting them from a performance point of view.
Neither solution is costly, but their design is crucial and needs to be considered to avoid them looking suspicious otherwise hackers will avoid them altogether. There is a wide range of solutions available to you, it all depends on your needs and resources.
Canaries are easy to deploy and after an initial design they don’t require any effort as they will simply serve as traps and alert you in case someone accesses them. However, they can’t take automated action.
Example of free canaries: https://canarytokens.org/generate
Honeypots, on the other hand, can be more complex to put in place. They require implementing services and configuring them correctly. Depending on the amount of logs generated (e.g., an external honeypots will log actual attack attempts but also broad scanning from the Internet) you could eventually need additional services. Typically, you attempt to emulate well known service with honeypots (e.g., web service, ftp service, remote desktop service, file sharing service, …) to lure in the hackers.
Example of tools: https://www.activecountermeasures.com/free-tools/adhd/
As mentioned previously, for these solutions to be effective they need to be properly set-up otherwise the hacker could gain access to your whole infrastructure. It is important to implement them properly and cyber security experts can support with this.
Secondly, you need to consider your resources. Honeypots collect logs, which can generate tons of traffic. You need to be able to collect and treat these logs in order for them to be useful. They need to be imported into your SIEM and analysed to provide valuable information about the attacker and his behaviour.
These services can be outsourced to experts if you do not have the internal capabilities to manage them yourself.
When starting such a project, here are some points to verify:
- What kind of deceptive technique do you need?
- What are your critical assets and where do you need to deploy your deception solutions?
- If you want to deploy honeypots, what kind of services are the most relevant to emulate (HTTP, FTP, TELNET, …)?
- How long would you like to keep the logs?
- What should your Alerting Canal be (mail, SMS, slack, …)?
- What computing resources do you need?
- Do you have the manpower to launch such a project?
- Do you have the manpower to review the alerts?
- Do you have a response plan in case of detection of suspicious activity?
How can we support you?
We can help your organisation to proactively implement deception techniques and technology and integrate them into a robust cyber defence program.
Deception is an integral component of our Managed Detection and Response (MDR) solutions operated 24x7 by our Security Operations Centre (SOC).
We also integrate these technologies within our Cyber Security Incident Response Team (CSIRT) solution. It allows us to quickly obtain valuable information on the adversary’s protocols, enabling our experts to define and execute an efficient containment and eradication strategy.