You’ve probably heard about honeypots — tools that act as baits, luring attackers into revealing themselves by presenting a seemingly tempting target. In recent years, honeypots have evolved into Deception technology.
Deception is a very accurate characterization of the solution — after all, to catch the attacker, traps should look exactly like real assets.
Today, this technology is presented by American and Israeli vendors. Among them, the most famous are TrapX, Illusive Networks, Fidelis, Cymmetria MazeRunner, and Canary. There are also several open-source solutions.
So, what kind of technology is the Deception from the developer’s point of view, and what’s interesting about it? But first, let’s look into the prior technology — honeypots.
It is fair to say that honeypot is the first technology of Deception. It emerged in the 1980-1990s years. A honeypot is a network-attached system set up as a decoy to lure cyber attackers and detect, deflect and study hacking attempts to gain unauthorized access to information systems.
There are no legitimate network interactions with the honeypot. When attacked, it would log the attacker’s actions. Such conditions allow organizations to learn about behavior they would not otherwise have access to.
The honeypot’s secondary purpose is to hold back on the attacker’s progress in the network, luring him into studying the fake resource.
Honeypots can involve real operating systems and applications. By giving attackers real systems to interact with, organizations can learn a great deal about an attacker’s behavior.
Disadvantages of honeypots:
- You need to set up each fake server separately;
- They do not interact with each other and with the elements of the real infrastructure;
- They leave no traces, so it is difficult for a hacker to detect them;
- They are not usually integrated into a centralized system.
This technology was gradually replaced by another, more advanced and intelligent.
Deception belongs to the Intrusion Detection System (IDS) solutions. The main purpose of this system is to detect attempts of gaining unauthorized access to the network.
What is the difference between Deception and honeypots?
A honeypot as a separate network resource is deployed alongside production systems within your network. Deception is a centralized system for the management of fake network objects, commonly called traps. Each trap is, in fact, a separate honeypot, but they are all connected to a central server.
Such solutions usually have a user-friendly interface. The operator can set up traps with a necessary number of emulated network services in a selected subnet, with a certain method for obtaining an IP address, etc.
Just like honeypots, Deception traps are not designed for legitimate network interaction (except for interaction with other Deception components.)
The trap notifies the server of any attempt to interact with it: this serves as an indicator of attack. At the same time, the operator receives an instant message about the event, which specifies the address, port source, goals, interaction protocol, activation time, etc.
Additional modules within Deception may also provide manual or automated incident response capabilities.
An agent is a software that is installed on real user machines or servers. It knows how to communicate with the Deception server, execute its commands or transmit data to the control center.
Deception’s solutions include products with and without an agent.
- Checking the status of workstations
- Distributing a collection of traps and decoys across a system’s infrastructure
- Emulation of network activity
- Incident response (manual or automated)
- Forensic data collection.
Thus, it is better to make the agent’s activities hidden from users.
Therefore, agent decisions in Deception should be made in such a way that the user does not see either the agent or traces of his life activities.
Therefore, agents usually run in a privileged mode, like Windows drivers or Linux Kernel modules.
The task of Deception as a technology is to convince the attacker that all traps are real, valuable, and usable, and also to make fake targets attractive to attack.
The attacker is faced with thousands of honeytokens, lures, breadcrumbs, or decoys when they breach a system, and interacting with just one will alert defenders to their presence. It’s all about playing the odds, and deception tilts the odds toward the defender in a straightforward and lightweight way.
A decoy is an object that is placed on a real workstation. It looks like something common and interesting for the attacker («accidentally» left password file, saved session, browser bookmark, registry entry). The decoy contains a link and data to access a fake network resource.
The attacker, having discovered such a link and authorization data, would check what kind of service it is. He would access a trap, and an incident alert is set off.
Types and methods of decoy placement depend on the type of trap to which it leads.
Decoys can be distributed in several ways. If Deception has agents, they are in charge of placing the decoys. This process can be automated: the server sends a command to the agent, and the agent performs the necessary actions to install the bait.
If there are no agents, Deception provides ready-made scripts to be executed on workstations manually. This approach has drawbacks: there is no way to automatically update decoys on workstations when traps are reconfigured, whereas agents can do this.
The interaction of real users with decoys should be limited as much as possible. They should also be convincing. If we put the bait as SSH on the accountant’s computer, it might excite the attacker’s suspicion.
Typically, the bait contains authorization data to access the trap — login, and password or key. But how do you make them look believable? Here the idea of a fake user’s database inside Deception arises.
You can keep a database of fake network users. There are different approaches to maintaining such a database.
For example, Deception can be integrated with a network traffic analyzer. This makes it possible to recognize the data for authorization in network traffic, find common features and generate users similar to real ones.
If there is no such integration, generating users according to the rules established manually is a good solution. These rules may include a specific name dictionary, login template, password generation instructions (special characters, minimum length, generation of memorable passwords, the selection of passwords from the dictionary, etc.), domain address, and mail server.
This approach can be useful if the organization uses Deception to protect its branches in different countries. For instance, for the Ukrainian branch, the wrong users can have names from the Ukrainian dictionary, and for the Chinese branch — from the Chinese.
Once a fake user database is established, Deception can use it to create decoys.
Emulation of network interaction
If traditional traps exist on their own, do not interact with anything, and do not leave traces in the network, then the Deception technology is designed to encourage the attacker to interact with the trap.
So, you need to head the attacker to the trap and convince him that it is a real service. Just imagine that you detected some service on the network, but it has never been interacted with. This is suspicious.
Therefore, one of the Deception features is the ability to actively emulate network interaction. Any points within the system can interact: traps with traps, agents with traps. The implementation depends on the specific solution and may include communication using simple TCP/UDP packets, as well as data transfer using a high-level protocol.
One of Deception’s potential problems is the time-consuming initial setup. Without automatic deployment, when installing Deception, you would have to define a list of traps and emulated services manually, configure them correctly, and create and place baits for each trap.
However, it is impossible to make a universal solution that suits any client. Each organization has its own set of network resources to deploy as traps. If the company’s network is small, then one specialist can manage this. If a large company deploys Deception, there may be several subnets to set traps. Also, each type of subnet may have its network ACL with custom rules per subnet. Therefore, it is worth automating the deployment.
There can be several approaches. If Deception is integrated with a traffic analysis system, the system can receive data about the protocols used by each subnet. Based on this information, Deception can automatically set the right types of traps, and their right amount and even update the fake network layer on its own when new real resources are added.
If there is no integration, there can be another way out. The Deception server performs active network scanning, obtaining data about open ports on real machines, or passively monitoring traffic. The collected information will be used by Deception to set traps automatically.
The third way. The operator can either manually create and set individual traps or select the necessary list of network services and a certain number of traps. Then the installation and configuration will be done automatically.
DATA COLLECTED FROM WORKSTATIONS
Deception can be more than just a means of detecting attacks. Due to agents, the system can take on other challenges. One of them is the collection of data about software installed on computers, including the version and installation date. You can compare results with the CVE databases and you’ll be warned if the current version of the software has a serious vulnerability.
Also, the agent can collect forensic data. When a trap detects an attack sourced from an agent workstation, Deception can compare the trap’s data (time, connection source port) with the agent’s information. So, you can get useful information about the attack: which process launched it, how it got to the computer, etc.
Besides, the agent can collect various indicators of employees’ workstation compromise. This would make it possible to get notified even before the attacker moves on to actions on the network.
Deception is a relatively new technology, but it is gaining popularity. Deception does not replace common information security systems, but complements defense systems, helping detect those attacks that have bypassed all other means.