Protect your environment with deception and honeytoken – Advice Eating

Image: Adobe Stock

You can no longer afford to respond with security. Instead of waiting until you notice an attack, assume that you are vulnerable and have already been attacked. “Assume breach” is a security principle that says you should act as if all of your resources—applications, networks, identities, and services both internal and external—are insecure and already compromised without you knowing it.

One way to find out is to use “deception technologies”: lure in resources in strategic parts of your network with additional surveillance that you can fool attackers into—keep them away from your real systems and let them reveal themselves while they sniff approx.

Set a trap to expose cyber attackers

“After a successful compromise, attackers often start out ‘in the dark’, unsure of what systems they have access to, what they are doing, and how they connect to different parts of an organization. It is during this reconnaissance phase that an attacker is most likely to reach or probe other services and systems,” Ross Bevington, senior security researcher at the Microsoft Threat Intelligence Center, told TechRepublic.

This is where decoy technologies like honeypots (infrastructure that looks like a real server or database but doesn’t run live workloads), honeytokens (decoy objects in real workloads you’re already running) and others come into play. “By presenting themselves as systems or services that an attacker is interested in but are not actually using in business processes, high-fidelity detection logic can be constructed that alerts the security team to post-compromise activity,” he said bevington

Deception technology works best when it’s difficult to remotely tell the difference between a real system and a fake, he explained: That way, the attacker wastes time on the bait.

Also, now you know the attacker is there. Because there is no legitimate reason to access these resources, anyone who tries is clearly unfamiliar with your system. It could be a new employee in need of training (also useful to know), but it could also be an attacker.

You can use deception as intrusion detection, like a tripwire, or you can intentionally expose it (which Microsoft itself is doing) “…as a way to gather threat intelligence about what attackers might be doing before compromise,” he said.

“In any case, the goal of deception technology is to significantly increase the cost to the attacker while decreasing the cost to the defender,” Bevington said.

Some deception techniques require more work. “Many customers are taking steps to adapt their baits, lures and traps to the way they work,” Bevington told us.

However, the operation of additional infrastructure costs time and money. You also need to make it look like a legitimate workload without copying any sensitive information, otherwise the attacker will know it’s fake. And the security team running a honeypot doesn’t always know what real-world workloads look like, like admins and operations teams do — but until now, software engineering teams haven’t had many tools to set these kinds of traps (although they do). would). Devops’ “Shift Left” philosophy means they are more concerned with security).

SEE: Mobile Security Policy (TechRepublic Premium)

Enter Honeytokens: Fake tokens that you build into your existing workloads with legitimate-looking names that match your real resources. They’re inexpensive and easy to deploy, can handle as many workloads as you run, and require little maintenance. Once set up, they can typically last for months or years without additional maintenance, Bevington says. “Tokens are now being used more frequently as a cheap and high-signal method to capture a whole range of opponents.”

The downside is that you don’t get a deep understanding of who an opponent is or what they’re trying to do when they stumble a honeytoken; A honeypot gives a security team more information about the attacker.

Which ones you need depends on your threat model, Bevington points out. “Honeypots have the potential to provide defenders with significant amounts of threat intelligence about who the attacker is and what they are trying to achieve, but at a higher cost, since honeypots require CPU and memory, and are either installed on a machine or a virtual machine, and require constant attention require maintain.” Many organizations do not need this additional information and may feel that tokens will suffice.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Honey tokens made easy

Microsoft has used deception techniques for a long time because of so many attackers trying to break into Microsoft services and customer accounts (this is part of what Microsoft calls its “sensor network”). “We’ve seen great value in embedding technologies like tokens and honeypots into our internal security posture,” Bevington said. This deceptive data has helped Microsoft analysts find new threats targeting Windows, Linux, and IoT devices. Disclosure of an open Docker API server found attackers using the Weave Scope monitoring framework to compromise containers and other deception technologies revealed how IoT like Mozi and Trickbot target IoT devices.

Once Microsoft has uncovered how attackers are compromising infrastructure, Microsoft can add protections in its Defender services for those specific attacks. It also makes decoy data available to researchers looking for ways to automate the processing of that data for detection.

But with the new Microsoft Sentinel Deception (Honey Tokens) solution for planting lock keys and secrets in Azure Key Vault, you don’t need to be a security expert to run deception technologies. “One of the goals of Sentinel and our recently released Azure Key Vault token preview is to reduce the complexity of deploying these solutions so that any organization interested in this technology can easily and securely deploy them,” said Bevington .

Screenshot of Azure Key Vault.
One of those secrets in Azure Key Vault is a honeytoken, but an attacker would be fooled. Image: Microsoft

It includes analysis rules for monitoring honeytoken activity (including an attacker attempting to disable that monitoring) and workbooks for deploying honeytokens (as well as recommendations in Azure Security Center) and investigating honeytoken incidents. Honeytokens are given names based on your existing keys and secrets, and you can use the same keyword prefixes that you use for your real tokens.

Screenshot of Azure Security Center.
Azure Security Center suggests where is the best place to deploy honeytokens. Image: Microsoft

It might seem counterintuitive to effectively invite attackers into a service as important as Azure Key Vault, but you’re really just finding out if you’ve secured the service properly with options like managed identity. With honeytokens pretending to be secrets and credentials, “the keys are such a significant reward to an attacker that they may expend significant resources trying to access that data,” Bevington pointed out. It’s important to establish basic security hygiene processes and practices like MFA and passwordless authentication, and ensure you closely monitor any alerts for your honeytoken or other deception technologies.

Think of this as another layer of defense. As well as tricking real attackers into pursuing fake resources, you can also see what a real attack would look like, e.g. B. Simulating denial of service attacks on resources that you protect with Azure services using services like Red Button or BreakingPoint Cloud. Try probing your own systems with Red Team tools like Stormspotter, which show you what resources are visible in your Azure subscriptions, so you know what an attacker would see if they looked around.

Use what you learn about attacker behavior through deception techniques to protect your true assets and can help you stay one step ahead.

Leave a Comment