Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/12/2018
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Deception: Honey vs. Real Environments

A primer on choosing deception technology that will provide maximum efficacy without over-committing money, time and resources.

Deception technology is offering defenders the ability to finally gain a rare advantage over adversaries by doing something that other forms of defense can't: provide early and accurate detection by planting a minefield of attractive decoys to trip up attackers. We've seen examples of this type of defense used by the FBI and other top law enforcement to catch criminals such as child pornographers and, more recently, egregious financial theft.

Decoys are designed to catch early-stage activity as the adversary looks to understand the network and how to find its target. I call this early stage of an attack "casing the joint," and my research has shown that interrupting this stage — ultimately, reducing the dwell time of a potential attack — is crucial to protecting data. Defenders can watch what is happening, learn more about the nature of the attack, and better understand the way that the attacker is moving through a network or even a cloud-based file share.

More organizations are starting to look at deception as a way to plug the gaps of existing deployed security solutions such as data loss prevention, encryption, access management, and user behavior analytics. But how can security teams determine which form of deception is the right one for their organizations? It's up to each organization to determine which deception approach makes the most sense for them.

Defining "Honey" Environments
Currently, most offerings in the deception market are focused on the buildout of complex honey environments, designed to lure attackers into fake systems to distract and track their behaviors.

A honeypot is a network-adjacent system set up to lure adversaries and to detect, deflect, or study hacking attempts. There are various types of honeypots, classified by the level of interaction they conduct with an intruder. When designed properly, honeypots are meant to prevent adversaries from accessing protected areas of an organization's operational network. A properly configured honeypot should have many of the same components of an organization's production system, especially data. Their most significant value is the information they can obtain on the behavior of the adversary and what the intent of the attacker is. Data that enters and leaves a honeypot allows security staff to gather information, such as the attacker's keystrokes or their attempted lateral moves throughout the fake honeypot system.

A honeynet is a network of multiple honeypots designed to simulate a real network. Essentially, they are large-scale network decoys that mimic a collection of typical servers that might be found on a business network. According to the SANS 2017 report, "The State of Honeypots: Understanding the Use of Honey Technologies Today," "Honeynets connect and interact in the same way a real network would — none of the connections between systems are emulated." On a scale of 1 to10, with 10 being the most effective, users of honeypots surveyed in this SANS report rated honeynets at 7.5 in terms of overall effectiveness. Like honeypots, the biggest value of a honeynet deployment is the intelligence security teams can gather on attacker behavior.

When properly built and maintained, honey environments can provide valuable information about how the attacker moves around in a network in search of data to exfiltrate. But only if the attacker enters the honeynet. 

Honey Hardships
There are some significant challenges and shortcomings that make honey environments difficult to deploy, manage, and maintain. Before investing, you need to conduct a serious costs-benefit analysis. 

First, while honey environments are built and maintained outside of the enterprise's operational environment, honeynets still require hackers to gain initial entry through the operational environment. Organizations must then hope that the breadcrumbs leading to the honey environment are convincing enough to actually lure the hacker. Also, once a hacker leaves the fake environment, there is no way of knowing if he or she re-enters the operational environment to continue an attack or what data they may have exfiltrated prior to tripping over a breadcrumb.

Second, the cost and resources required to create these environments can put a strain on security teams that are already overwhelmed by the number of security alerts and investigations they do on a daily basis. Organizations must establish an environment that mimics the operational environment in order to have any chance that attackers will believe it is real. Then, that environment must be maintained to keep it realistic. This level of investment and upkeep to make a honeynet work is no small commitment.

Third, there are limits to the usefulness of the data that honey environments can provide on adversaries. It's true that they are a good method for learning more about how attackers move throughout a system in search of data to steal, but they reveal little about the actual hacker and what happens to data once it has been stolen.

Finally, adversaries have become increasingly sophisticated in identifying "tells" in honey environments. Hackers who present any serious threat will often target specific IP addresses that they know are valid machines. If a hacker wants to identify any honeypots sitting on a corporate network (a process known as "fingerprinting"), it is easy to do because the machine will either have no outbound traffic, or the deceptive traffic will be contrived and not follow a normal usage pattern. For a honeynet to have any value, an intruder shouldn't be able to detect that he or she is on a fake system. The goal is to give the adversary a false sense of reality and a false sense of security that his or her actions are not being noticed or monitored.

Deception in the Real World
Deploying deception technology within operational and cloud environments allows security teams to detect and deceive attackers in the direct path to sensitive data instead of hoping they are lured away. Deployment of believable decoy documents inside operational networks provides all of the same benefits of honeypots and honeynets but negates the need to create and maintain fake environments.

Deception that does not depend on honey environments can also be used to proactively fight back against hackers and leakers. Attackers rely on various tools for anonymity, and these tools often contribute to the success of bold attacks. Deception techniques not limited by fake environments can be used to pierce these tools and reveal attackers, often without their knowledge. This provides a unique advantage for organizations and law enforcement to hold hackers and leakers accountable.

Related Content:

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
1/11/2019 | 12:04:27 AM
Be careful of over-promise
There is the saying that goes "When something is too good to be true, it probably is" which should not be underestimated. When we are guaranteed overwhelming results for barely nothing, perhaps we are in too deep in a lie that could get difficult to run away from. We need to carefully sieve through real results against fake ones by being real and not expecting much more than what we have invested on.
SSTOLFO000
50%
50%
SSTOLFO000,
User Rank: Guru
1/9/2019 | 11:26:10 AM
Re: Trap them all!
While the technique has been available for a while, and used effectively by government and law enforcement for years, technology to provide guaranteed signal in a stealthy manner was just introduced for commercial use in 2018. Here is a good overview of the evolution of the technology: https://info.alluresecurity.com/blog/canary-tokens-versus-patented-decoy-documents. You can also see how the tecnique of using a "booby-trapped" document was used effectively by the FBI as part of an active investigation here: https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminal.
MarkSindone
50%
50%
MarkSindone,
User Rank: Moderator
1/9/2019 | 12:54:18 AM
Trap them all!
This is a really interesting way of describing a trap technique. I wonder how many hackers would fall for all of these honey traps laid around the system and if it's really such a success, than why aren't more facilities coming up with similar acting security units to prevent unauthorized access and hacking into their service networks...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.