There are already several articles on Habré about Honeypot and Deception technologies (, ). However, until now we are faced with a lack of understanding of the difference between these classes of protection tools. To do this, our colleagues from (the first Russian developer ) decided to describe in detail the differences, advantages and architectural features of these solutions.
Let's figure out what "honeypots" and "deceptions" are:
"Technologies of deception" (eng., Deception technology) appeared on the market of information security systems relatively recently. However, some experts still consider Security Deception to be just more advanced honeypots.
In this article, we will try to highlight both the similarities and the fundamental differences between these two solutions. In the first part, we will talk about the "honeypot", how this technology has developed and what are its advantages and disadvantages. And in the second part, we will dwell in detail on the principles of operation of platforms for creating a distributed deception infrastructure (English, Distributed Deception Platform - DDP).
The basic principle underlying honeypots is to create traps for hackers. The very first Deception solutions were developed on the same principle. But, modern DDPs are significantly superior to honeypots, both in terms of their functionality and efficiency. Deception platforms include: traps (English, decoys, traps), lures (English, lures), applications, data, databases, Active Directory. Modern DDPs can provide powerful capabilities for threat detection, attack analysis, and response automation.
Thus, Deception are techniques for imitating the IT infrastructure of an enterprise and misleading hackers. As a result, such platforms make it possible to stop attacks before causing significant damage to the company's assets. Honeypots, of course, do not have such a wide range of functionality and such a level of automation, so their use requires more qualifications from employees of information security departments.
1. Honeypots, Honeynets and Sandboxing: what is it and how is it applied
For the first time, the term "honeypots" was used in 1989 in the book "The Cuckoo's Egg" by Clifford Stoll, which describes the events of tracking down a hacker at Lawrence Berkeley National Laboratory (USA). This idea was put into practice in 1999 by Lance Spitzner, an information security specialist at Sun Microsystems, who founded the Honeynet Project research project. The first honeypots were very resource intensive, difficult to set up and maintain.
Let's consider in more detail what is honeypots и honeynets. Honeypots are separate hosts whose purpose is to attract attackers to break into the company's network and try to steal valuable data, as well as to expand the network's coverage. Honeypot (literally translated as "a barrel of honey") is a special server with a set of various network services and protocols such as HTTP, FTP, etc. (see fig. 1).
If you combine several honeypots into the network, then we will get a more efficient system honey net, which is an emulation of a company's corporate network (web server, file server, and other network components). This solution allows you to understand the attackers' strategy and mislead them. A typical honeynet, as a rule, runs in parallel with the production network and is completely independent of it. Such a “network” can be published on the Internet via a separate channel, and a separate range of IP addresses can also be allocated for it (see Fig. 2).
The point of using a honeynet is to show the hacker that he allegedly penetrated the corporate network of the organization, in fact, the attacker is in an “isolated environment” and is under the close supervision of information security specialists (see Fig. 3).
Here also it is necessary to mention such a tool as "sandbox"(English, sandbox) that allows attackers to install and run malware in an isolated environment where IT professionals can monitor their activities in order to identify potential risks and take the necessary countermeasures. Currently, sandboxing is typically implemented on dedicated virtual machines on a virtual host. However, it should be noted that sandboxing only shows how dangerous and malicious programs behave, while honeynet helps a specialist analyze the behavior of “dangerous players”.
The obvious benefit of honeynets is that they mislead attackers, wasting their energy, resources and time. As a result, instead of real targets, they attack false ones and can stop attacking the network without achieving anything. Most often, honeynet technologies are used in government agencies and large corporations, financial organizations, since these structures are the targets for major cyber attacks. However, small and medium businesses (SMB) also need effective tools to prevent information security incidents, but honeynets in the SMB sector are not so easy to use, due to the lack of qualified personnel for such complex work.
Limitations of Honeypots and Honeynets Solutions
Why aren't honeypots and honeynets the best attack mitigation solutions available today? It should be noted that attacks are becoming more and more large-scale, technically complex and capable of causing serious damage to the organization's IT infrastructure, while cybercrime has reached a completely different level and is a highly organized shadow business structure equipped with all the necessary resources. Added to this is the “human factor” (errors in software and hardware settings, insider actions, etc.), so using technology alone to prevent attacks is no longer enough at the moment.
Below we list the main limitations and disadvantages of honeypots (honeynets):
-
Honeypots were originally designed to identify threats that are outside the corporate network, are intended more for analyzing the behavior of intruders and are not designed to quickly respond to threats.
-
Malefactors, as a rule, already learned to recognize the emulated systems and to avoid honeypots.
-
Honeynets (honeypots) have an extremely low level of interactivity and interaction with other security systems, as a result of which, using honeypots, it is difficult to obtain detailed information about attacks and attackers, and therefore effectively and quickly respond to information security incidents. Moreover, information security specialists receive a large number of false threat alerts.
-
In some cases, hackers may use a compromised honeypot as a starting point to continue attacking an organization's network.
-
Often there are problems with the scalability of honeypots, high operational load and configuration of such systems (they require highly qualified specialists, do not have a convenient management interface, etc.). There are great difficulties in deploying honeypots in specialized environments such as IoT, POS, cloud systems, etc.
2. Deception technology: advantages and basic principles of operation
Having studied all the advantages and disadvantages of honeypots, we come to the conclusion that a completely new approach to responding to information security incidents is needed in order to develop a quick and adequate response to the actions of attackers. And that solution is technology. Cyber deception (Security deception).
The terminology "Cyber deception", "Security deception", "Deception technology", "Distributed Deception Platform" (DDP) is relatively new and appeared not so long ago. In fact, all these terms mean the use of "deception technologies" or "techniques for imitating IT infrastructure and misinforming attackers." The simplest Deception solutions are the development of honeypots ideas, only at a more technologically advanced level, which involves more automation of threat detection and response. However, there are already serious DDP-class solutions on the market that offer ease of deployment and scalability, as well as a serious arsenal of “traps” and “baits” for attackers. For example, Deception allows you to emulate IT infrastructure objects such as databases, workstations, routers, switches, ATMs, servers and SCADA, medical equipment and IoT.
How does the Distributed Deception Platform work? After the deployment of DDP, the IT infrastructure of the organization will be built as if from two layers: the first layer is the real infrastructure of the company, and the second is an “emulated” environment consisting of traps (English, decoys, traps) and lures (English, lures), which are located on real physical network devices (see Figure 4).
For example, an attacker can detect false databases with "confidential documents", false credentials of supposedly "privileged users" - all these are false goals, they can interest intruders, thereby diverting their attention from the company's true information assets (see Figure 5).
DDP is a novelty in the market of information security products, these solutions are only a few years old and so far only the corporate sector can afford them. But SMBs will soon also be able to take advantage of Deception by renting DDPs from specialized providers as a service. This option is even more convenient, since there is no need for our own highly qualified personnel.
The main advantages of Deception technology are shown below:
-
Authenticity (authenticity). Deception technology is capable of reproducing a completely authentic IT environment of a company, emulating operating systems, IoT, POS, specialized systems (medical, industrial, etc.), services, applications, credentials, etc. with high quality. Traps (decoys) are carefully mixed into the production environment, and an attacker will not be able to identify them as honeypots.
-
Introduction. DDPs use machine learning (ML) in their work. With the help of ML, simplicity, flexibility in settings and efficiency of Deception implementation are ensured. "Traps" and "baits" are very quickly updated, involving an attacker in the "false" IT infrastructure of the company, and in the meantime, advanced analysis systems based on artificial intelligence can detect active actions of hackers and prevent them (for example, an attempt to access Active Directory based on fraudulent accounts).
-
Ease of operation. The modern "Distributed Deception Platform" is easy to maintain and manage. As a rule, they are managed through a local or cloud console, there are opportunities for integration with the corporate SOC (Security Operations Center) through the API and with many existing security controls. For the maintenance and operation of DDP, the services of highly qualified information security experts are not required.
-
Scalability. Security deception can be deployed in physical, virtual and cloud environments. DDPs also work successfully with specialized environments such as IoT, ICS, POS, SWIFT, etc. Advanced Deception platforms can project “deception technologies” into remote offices, isolated environments, without the need for additional full platform deployment.
-
Interaction. Using effective and attractive decoys that are based on real OS and cleverly placed among real IT infrastructure, the Deception platform collects extensive information about the attacker. DDP then provides threat alerts, reports are generated, and automatic response to information security incidents takes place.
-
Starting point of attack. In modern Deception, traps and baits are placed inside the range of the network, and not outside it (as is the case with honeypots). This deployment model of traps prevents an attacker from using them as a base to attack a company's real IT infrastructure. In more advanced solutions of the Deception class, there are traffic routing capabilities, so you can direct all attacker traffic through a dedicated connection. This will allow you to analyze the activity of intruders without risking valuable company assets.
-
The persuasiveness of "deception technologies". At the initial stage of the attack, attackers collect and analyze data about the IT infrastructure, then use it to move horizontally through the corporate network. With the help of "deception technologies", the attacker will definitely fall into "traps" that will lead him away from the real assets of the organization. DDP will analyze potential credential access paths on the corporate network and provide the attacker with "false targets" instead of real credentials. These capabilities have been sorely lacking in honeypot technologies. (See fig. 6).
Deception VS Honeypot
And finally, we come to the most interesting point of our study. We will try to highlight the main differences between Deception and Honeypot technologies. Despite some similarities, nevertheless, these two technologies differ greatly, from the fundamental idea to the efficiency of work.
-
Various basic ideas. As we wrote above, honeypots are installed as "baits" around the company's valuable assets (outside the corporate network), thus trying to distract intruders. While honeypot technology is based on an understanding of an organization's infrastructure, honeypots can be a starting point for attacking a company's network. Deception technology is developed taking into account the attacker's point of view and allows you to identify an attack at an early stage, thus, information security specialists get a significant advantage over attackers and gain time.
-
"Attraction" VS "Entanglement". When using honeypots, success depends on attracting the attention of attackers and further motivating them to move on to the target in the honeypot. This means that the attacker still has to get to the honeypot before you can stop him. Thus, the presence of intruders on the network can last for several months or more, and this will lead to data leakage and damage. DDP qualitatively imitate the real IT infrastructure of the company, the purpose of their implementation is not just to attract the attention of an attacker, but to confuse him so that he wastes time and resources, but does not gain access to the company's real assets.
-
"limited scalability" VS "automatic scalability". As noted earlier, honeypots and honeynets have scaling issues. It is difficult and expensive, and in order to increase the number of honeypots in a corporate system, you will have to add new computers, OS, buy licenses, allocate IP. Moreover, it is also necessary to have qualified personnel to manage such systems. Deception platforms are automatically deployed as infrastructure scales, with no significant overhead.
-
"High number of false positives" VS "no false positives". The essence of the problem is that even a simple user may encounter a honeypot, so the “reverse side” of this technology is a large number of false positives, which distracts information security specialists from work. "Baits" and "traps" in DDP are carefully hidden from the average user and are designed only for an attacker, so each signal from such a system is an alert about a real threat, and not a false positive.
Conclusion
In our opinion, Deception technology is a huge improvement over older Honeypots technology. In essence, DDP has become a comprehensive security platform that is easy to deploy and manage.
Modern platforms of this class play an important role in accurately detecting and effectively responding to network threats, and their integration with other components of the security stack increases the level of automation, increases the efficiency and effectiveness of incident response. Deception platforms are based on authenticity, scalability, ease of management and integration with other systems. All this gives a significant advantage in the speed of response to information security incidents.
Also, based on observations of pentests of companies where the Xello Deception platform was implemented or piloted, we can conclude that even experienced pentesters often cannot recognize lures in the corporate network and fail, falling into traps. This fact once again confirms the effectiveness of Deception and the great prospects that open up for this technology in the future.
Product testing
If you are interested in platform Deception, then we are ready .
Stay tuned for updates in our channels (, , , )!
Source: habr.com