In days gone past (and arguable in the current timeline we occupy) I would simply launch from the existing machine like an Olympic diver off the high board and go about my merry way for an “industrial average” of 200 days or thereabouts before ANYONE even knows or detects my presence. That’s 200 days of us, in your systems, harvesting data, reviewing files, modifying data sets, exfiltration anything and everything we need. That’s akin to having a team of security professionals doing a penetration test against your systems for over 6 months…
However the rules are about to change, and the future IS looking a lot bleaker for the attackers. The honeypot is back…with a vengeance and a whole slew of new tools it’s about to unveil. No longer does the honeypot sit on your network looking like a beacon in the darkness, no longer does the honeypot come in one or two different flavors that an attacker knows by heart, no longer does the honeypot have too may open ports, or too few, or is set up with Windows 7 when your enterprise runs 8… The honeypots we now have are nasty, deceptive and are out for revenge.
They are not really honeypots, those would be considered static, it’s a simple vessel for holding something…the new tools have taken a leaf (or in the case of Acalvio they’ve borrowed a whole Dionaea muscipula) out of Mother natures rulebook and have gone to the SEALS BUD/S school.
This new deceptive technology is the equivalent of electronic camouflage. From the outset, even before being introduced to the eventual environment it WILL protect it knows the industries it’s working in. It understands the differences between healthcare and financial systems, it knows that a Windows 7 machine looks different than a Windows 8 system, it also knows that a developer machine looks like a more inviting target than a regular desk bound office person. The deceptive system also knows that it takes a lot more than an open Telnet port to entice a nibble from the attacker, this is why it is able to deploy multiple types of lures scattered throughout the enterprise from Registry entries that mimic elevated user accounts, to files on shares, to folders on systems. It can deploy these in a manner that not only blends into your enterprise but also doesn’t interfere with it. It also understands what good behavior is as it’s learning on the fly from your SIEM/Log systems.
This technology that is protecting your environment knows and adapts its defenses based on a number of algorithmic formulas that are updated to reflect the ever-changing attack landscape. It understands that the currency of the attacker is data and that too much of it in the wrong place will cause the attacker to quietly remove themselves from the situation, however with the right FTP server, PeopleSoft, Oracle or SAP instance the attacker can be led along a series of avenues that both mask the valuable data the corporation is trying to protect as well as allows for enterprises or government entities to better understand the attack patterns of what is simply now an adversary trapped in a polymorphic maze.
Now, at this point any seasoned attacker (be they automated or human) has run sufficient checks against all their target systems to validate their configuration, their architecture and if they are real, fake or possibly an elaborate emulation. This is where the art of deception has taken on a new life. Initial interactions with any of the lures (be they simple files, folders, FTP instances all the way up to fully blown server instances) have been tuned to such an extent that any number of known validation checks will pass…even on the more complex systems.
Taking notes from Mother Nature and the last 100 years of camouflage research we can conclude humans do not decode visual and technical information as efficiently as we think we do. A broken pattern, or a confusion of depth and flatness caused by illusory shadows, or just a subtle blending of information can make the visible invisible. This technique is applied to the electronic ream in a manner that allows for those lures to appear “real” and pass all the validation checks, therefore our attacker continues along OUR chosen path.
It is worth noting at this point that our attacker has already tripped several alarms within the enterprise, from the time they accessed the stored and cached credentials on their initial compromised PC, one of our lures, to checking on the file server for industry specific files (ours were blended into the report server output folder) through to the several FTP and Telnet sessions they opened. Let alone the attacker is currently working their way through one of our full deceptions in full view of the enterprise security team.
The one are we have to acknowledge is that deception and camouflage have two purposes:
- Hiding the real systems and data
- Core/key data stores
- Critical systems that can’t be secured
- Edge system in foreign countries
- Critical machines
- Applications
- Showing the false systems and data.
- Hosts
- Services
- etc.
Authors
