A very frequent response when mentioning deception is a reference to honeypots in the realm of cyber security defenses. Yes, modern deception defenses are derived from honeypots and understanding the evolution of this valuable defense is the focus of this blog. The basic concept of honeypots are decoy systems with desired fake data, isolated and monitored for activity to divert and detect attackers with no risk to real data, operations or users. Years ago it made sense to bait attackers with fake credit card data and access credentials on stand-alone systems to learn who enters, their methods and what they desire. This lead to many variations of honeypots as follows:
Pure honeypots – are full-fledged systems where an attacker’s activity is monitored by a bug tap installed on the honeypot’s link to the network. Being a full OS based honeypot made them difficult to scale and open to compromise.
High-interaction honeypots – use virtual machines to run multiple honeypots on one physical device to improve scalability and are easy to reset. However, they are expensive to maintain to imitate the full services of production servers and are also open to compromise.
Low-interaction honeypots – simulate the frequently requested services of attackers also using virtual machines for multiple honeypots per physical server for scalability. These narrower focused honeypots however, consume fewer resources improving scalability to a higher level, have shorter response times, less code, and reduce the complexity of securing the virtual system.
For the most part, early honeypots were manually maintained, difficult to scale, and were statistically found by attackers as they lacked frequent activity, users and updates as lures. However they did provide valuable research use cases as well as in production environments leading to a variety of honeypot technologies including: malware honeypots, email/spam honeypots, database honeypots for web services, canary traps with beacons, and multiple honeypots made into honeynets. There was also the development of honeyclients, however many of these projects have since retired.
The overall concept of an active defense through the use of decoys to lure, detect and defend makes sense however the issues of scalability, skilled and available resources, and containment versus detection needed to be solved for honeypots to evolve. Like many areas in technology, automation is key to create effective modern deception defenses. A modern deception strategy should accommodate the following features:
- Automated discovery – continuously maps networks, assets, resources and services creating profiles to learn the ‘real’ environment.
- Automated decoy creation – builds optimal decoys with interactive services and applications to engage attackers or malware with what they desire.
- Automated deployment – positions a wide variety of decoys in optimal locations with a mixture of breadcrumbs on real assets as lures to make deception deterministic.
- Active response – enables security teams to script and automate workflows for active response and investigation.
- Automatically adapts – to changes in networks, assets, resources or services to update discovery profiles and enable the automation of new and updated decoys and breadcrumbs.
The net impact of automation built into modern deception defenses removes manual maintenance issues, eliminates the need for special skills to create deception decoys and know where to deploy them, and adds the high value use of breadcrumbs as lures going a step beyond honeypots. Today, a tier-1 security analyst can configure, deploy and maintain multiple deception layers across an enterprise for on-premises and cloud environments.
Research honeypots still have their use cases and remain with challenges to maintain, scale and secure from compromise. However, for most enterprises, modern deception defenses with interactive services desired by attackers provide improved scale and security with automation – all but removing maintenance. Decoy and breadcrumb variety is important with both structured and unstructured data use cases to lure both human attackers and malware attacks. Modern deception defenses also leverage Active Directory credentials and understand the placement of access credentials as lures next to decoys with interactive services and applications.
So yes, modern deception is based on honeypots, however automation has changed the playing field to enable successful and easy-to-maintain deployments. This enables a defense with no risk to data or resources, nor any impact to users or operations to provide high fidelity alerts with few false positives.