Perimeter

12/12/2018
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Deception: Honey vs. Real Environments

A primer on choosing deception technology that will provide maximum efficacy without over-committing money, time and resources.

Deception technology is offering defenders the ability to finally gain a rare advantage over adversaries by doing something that other forms of defense can't: provide early and accurate detection by planting a minefield of attractive decoys to trip up attackers. We've seen examples of this type of defense used by the FBI and other top law enforcement to catch criminals such as child pornographers and, more recently, egregious financial theft.

Decoys are designed to catch early-stage activity as the adversary looks to understand the network and how to find its target. I call this early stage of an attack "casing the joint," and my research has shown that interrupting this stage — ultimately, reducing the dwell time of a potential attack — is crucial to protecting data. Defenders can watch what is happening, learn more about the nature of the attack, and better understand the way that the attacker is moving through a network or even a cloud-based file share.

More organizations are starting to look at deception as a way to plug the gaps of existing deployed security solutions such as data loss prevention, encryption, access management, and user behavior analytics. But how can security teams determine which form of deception is the right one for their organizations? It's up to each organization to determine which deception approach makes the most sense for them.

Defining "Honey" Environments
Currently, most offerings in the deception market are focused on the buildout of complex honey environments, designed to lure attackers into fake systems to distract and track their behaviors.

A honeypot is a network-adjacent system set up to lure adversaries and to detect, deflect, or study hacking attempts. There are various types of honeypots, classified by the level of interaction they conduct with an intruder. When designed properly, honeypots are meant to prevent adversaries from accessing protected areas of an organization's operational network. A properly configured honeypot should have many of the same components of an organization's production system, especially data. Their most significant value is the information they can obtain on the behavior of the adversary and what the intent of the attacker is. Data that enters and leaves a honeypot allows security staff to gather information, such as the attacker's keystrokes or their attempted lateral moves throughout the fake honeypot system.

A honeynet is a network of multiple honeypots designed to simulate a real network. Essentially, they are large-scale network decoys that mimic a collection of typical servers that might be found on a business network. According to the SANS 2017 report, "The State of Honeypots: Understanding the Use of Honey Technologies Today," "Honeynets connect and interact in the same way a real network would — none of the connections between systems are emulated." On a scale of 1 to10, with 10 being the most effective, users of honeypots surveyed in this SANS report rated honeynets at 7.5 in terms of overall effectiveness. Like honeypots, the biggest value of a honeynet deployment is the intelligence security teams can gather on attacker behavior.

When properly built and maintained, honey environments can provide valuable information about how the attacker moves around in a network in search of data to exfiltrate. But only if the attacker enters the honeynet. 

Honey Hardships
There are some significant challenges and shortcomings that make honey environments difficult to deploy, manage, and maintain. Before investing, you need to conduct a serious costs-benefit analysis. 

First, while honey environments are built and maintained outside of the enterprise's operational environment, honeynets still require hackers to gain initial entry through the operational environment. Organizations must then hope that the breadcrumbs leading to the honey environment are convincing enough to actually lure the hacker. Also, once a hacker leaves the fake environment, there is no way of knowing if he or she re-enters the operational environment to continue an attack or what data they may have exfiltrated prior to tripping over a breadcrumb.

Second, the cost and resources required to create these environments can put a strain on security teams that are already overwhelmed by the number of security alerts and investigations they do on a daily basis. Organizations must establish an environment that mimics the operational environment in order to have any chance that attackers will believe it is real. Then, that environment must be maintained to keep it realistic. This level of investment and upkeep to make a honeynet work is no small commitment.

Third, there are limits to the usefulness of the data that honey environments can provide on adversaries. It's true that they are a good method for learning more about how attackers move throughout a system in search of data to steal, but they reveal little about the actual hacker and what happens to data once it has been stolen.

Finally, adversaries have become increasingly sophisticated in identifying "tells" in honey environments. Hackers who present any serious threat will often target specific IP addresses that they know are valid machines. If a hacker wants to identify any honeypots sitting on a corporate network (a process known as "fingerprinting"), it is easy to do because the machine will either have no outbound traffic, or the deceptive traffic will be contrived and not follow a normal usage pattern. For a honeynet to have any value, an intruder shouldn't be able to detect that he or she is on a fake system. The goal is to give the adversary a false sense of reality and a false sense of security that his or her actions are not being noticed or monitored.

Deception in the Real World
Deploying deception technology within operational and cloud environments allows security teams to detect and deceive attackers in the direct path to sensitive data instead of hoping they are lured away. Deployment of believable decoy documents inside operational networks provides all of the same benefits of honeypots and honeynets but negates the need to create and maintain fake environments.

Deception that does not depend on honey environments can also be used to proactively fight back against hackers and leakers. Attackers rely on various tools for anonymity, and these tools often contribute to the success of bold attacks. Deception techniques not limited by fake environments can be used to pierce these tools and reveal attackers, often without their knowledge. This provides a unique advantage for organizations and law enforcement to hold hackers and leakers accountable.

Related Content:

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Apprentice
1/11/2019 | 12:04:27 AM
Be careful of over-promise
There is the saying that goes "When something is too good to be true, it probably is" which should not be underestimated. When we are guaranteed overwhelming results for barely nothing, perhaps we are in too deep in a lie that could get difficult to run away from. We need to carefully sieve through real results against fake ones by being real and not expecting much more than what we have invested on.
SSTOLFO000
50%
50%
SSTOLFO000,
User Rank: Apprentice
1/9/2019 | 11:26:10 AM
Re: Trap them all!
While the technique has been available for a while, and used effectively by government and law enforcement for years, technology to provide guaranteed signal in a stealthy manner was just introduced for commercial use in 2018. Here is a good overview of the evolution of the technology: https://info.alluresecurity.com/blog/canary-tokens-versus-patented-decoy-documents. You can also see how the tecnique of using a "booby-trapped" document was used effectively by the FBI as part of an active investigation here: https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminal.
MarkSindone
50%
50%
MarkSindone,
User Rank: Apprentice
1/9/2019 | 12:54:18 AM
Trap them all!
This is a really interesting way of describing a trap technique. I wonder how many hackers would fall for all of these honey traps laid around the system and if it's really such a success, than why aren't more facilities coming up with similar acting security units to prevent unauthorized access and hacking into their service networks...
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6455
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a double-free problem in the function rec_mset_elem_destroy() in the file rec-mset.c.
CVE-2019-6456
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_fex_size() in the file rec-fex.c of librec.a.
CVE-2019-6457
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_aggregate_reg_new in rec-aggregate.c in librec.a.
CVE-2019-6458
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.
CVE-2019-6459
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_extract_type in rec-utils.c in librec.a.