The goal is to have a deception layer that blends into your current environment and adapts itself as the real network changes. Here’s how.
The concept of honey pots and deception in IT security has been around for about two decades. The idea is to place a fake asset in your network and then wait for attackers to interact with it. No one is supposed to know about this fake asset, so any access to it is a high-fidelity alert. This is a great idea in theory, but like the saying goes, the devil is in the details. For example, there are drawbacks that made honey pot deployment not worth the effort. The main challenges:
- Authenticity – how to make the honey pots believable and to look part of the real network
- Attractiveness – how to make them known and attractive to attackers, and
- Scalability – how to scale the deployment and not have it interfere with your regular network.
Organizations can overcome these challenges and deploy an attractive and authentic deception layer as part of its corporate network. SANS’ Implementing Deception Technologies guide provides an overview on how deception technologies can significantly improve an organization’s capabilities to swiftly and accurately detect attackers, while at the same time collect sufficient threat intelligence and attack attribution information to improve response effectiveness.
The goal is to have a deception layer that blends into your current environment and adapts itself as the real network changes. For that, you first need to understand and identify your current environment. Based on your existing assets and network traffic, you can build advanced terrains maps that include breakdown of the assets into subnets, operating systems, roles and services. Once you have this knowledge about your current environment, you can start to deploy the deception layer.
Step 1: Decoys
The decoys are fake assets that you create in the network. Based on your network profile, you deploy decoys that blend into your existing environment, such as workstations decoys on the user networks and server decoys on the server networks. For the relevant networks, you can also deploy IOT decoys for printers, routers, cameras, etc. To make each decoy authentic, it must mimic the real assets in the network. This includes the domain that it registers to, the services it publishes, the ports it has opens, the file system it reveals, the network traffic it exposes and the network fingerprint.
When deploying decoys, you will need to choose between different interaction levels of the decoys. A low interaction decoy is a very basic decoy that listens to traffic and does not interact with the attacker on the application level, basically a port listener. A high interaction decoy (a.k.a. a REALOs Decoy) can be a full real physical or virtual machine that acts as a decoy server with all its actions monitored. Each of the two interaction levels has both advantages and disadvantages. The middle ground is an emulation-based decoy that acts as a server that emulates the different services of the decoys. An emulated decoy can very easily control the ports that are open, the services running and the data the decoy holds. Our recommendation is to spread many emulated decoys around the network to mimic the different networks and add some RealOS Decoys in strategic points in the network. Based on the organization, you can deploy hundreds or thousands of decoys inside the network, each with a different operating system and role.
Step 2: Breadcrumbs
To make decoys look real and attractive, security teams deploy breadcrumbs, which are pieces of information placed on the real assets that lead the attacker to the decoys. When an attacker is inside your network, they will look for the safest next hop based on the information it has. The breadcrumbs show usage of the decoy services by holding information and credentials for those services. Some examples are recent documents, configuration files, and credentials. Like the decoys, the breadcrumbs should blend into the environment and should be relevant to the asset and the applications it has running on it. Presenting SSH keys on a computer that does not have an SSH client installed make the keys look suspicious and can give the attacker a red flag to not visit that SSH server.
Step 3: Network Deception
Another way to make the decoys attractive and authentic is to generate network deception. This includes different types of traffic that will lure the attacker towards the decoy. The decoys will publish themselves in different ways to make sure they appear in passive network scans that are run by an attacker. Decoys will also interact with the corporate servers, such as the DNS, DHCP or web server, to increase their authenticity. Network deception can catch attackers attempting to run man-in-the-middle attacks and intercept the traffic of victim assets. Advanced network deception can also include injecting the decoys into the ARP cache of the real assets. This can be done on the network level without interfering with regular user activity.
Step 4: Data Deception
One of the advantages of a flexible deception layer is the power to control the data in it. When deploying decoys, you can control the file system and the shared folders the decoys published. You can control the authentication methods to the decoys and the credentials required to access the different services. You can also control the content of different services, such as the web server. Controlling the web server content allows security teams to create decoys that look like the corporate web servers, or specific IOT devices.
Another interesting part of data deception is integration with the Active Directory server. During the recon phase, advance attackers will try to harvest the corporate AD server for any information on the environment. Creating a layer of deception on your Active Directory Server can help prevent that by creating a fake user who appears to have high privileges, then registering the decoys and its services to AD server as a valid machine with SPNs. To complete the process, the decoys will periodically report login activity by the fake users throughout the day in random times. This ensures the fake entries on the AD server are constantly updated and look real.
To gain the maximum advantage from deception, your deception layer should be part of your network and not stand out. Since each organization has a different environment, it is important to deploy deception elements that will properly identify your terrain and deploy the deception elements that are relevant to it. As your network changes, your deception layer should also adapt itself. Decoys and breadcrumbs should be constantly updated based on any changes to the real network. This includes updating the content of existing decoys, creating additional decoys in newly identified networks and removing decoys in networks that are no longer used. After such changes happen, it is also important to update the breadcrumbs and the network traffic accordingly.
Read the SANS implementing deception technologies guide to learn how to improve detection at every “layer,” and gain insight into active attacks in your environment.