There are many ways to fool an attacker into disclosing important information about their methods and techniques. In this video, you’ll learn how to use deception and disruption to protect your network.
As an IT security professional, you’ll spend a lot of time trying to prevent attackers from gaining access to your systems. But you’ll also be able to use your knowledge and techniques of security to create deception and disruption to those same attackers.
One way to provide this deception is by using a honeypot. A honeypot is a way to attract attackers to your system and be able to keep them involved in these systems so that you can see what type of security techniques they’re trying to use against you. In most of these cases, of course, the attacker is actually an automated process. And what you’re trying to do is to see what type of automation is being used and what type of systems are they trying to attack.
These honeypots are a virtual world that effectively attracts these automated systems or attackers. And they spend all of their time trying to identify or attack systems which in reality are not part of your production processes. If you wanted to build your own honeypot and virtual world, you can do that using a number of commercial and open-source software packages.
This also creates a bit of a race between you creating virtual worlds that, in most cases, are not production systems and the attackers that are trying to discern whether these systems are actual systems or if they are trapped inside of a honeypot. As the attackers get better with identifying a honeypot, we increase the complexity and intelligence of our honeypots to make them that much more realistic.
It’s very common, in fact, to combine a number of these virtualized honeypots into much larger infrastructures that we call honeynets. These honeynets may consist of workstations, servers, routers, firewalls, and anything else to make the entire infrastructure look a little bit more real to the attacker. Once you combine all of these smaller honeypots into one much larger honeynet, you’ve now created a much more believable environment and hopefully one that will keep the attackers very busy. If you’d like to learn more about the techniques and technologies we’re using today to create these honeypots and honeynets, you can visit projecthoneypot.org.
We can even go down to the file level and create honeyfiles. These are files that have fake information, or they may be files that appear to be very important or contain sensitive information. For example, you might have a honeyfile called passwords.txt, which, of course, does not actually contain the passwords to your systems. But the attacker doesn’t know that. And they may find this to be a very attractive file and spend a lot of time going through the information contained within that honeyfile.
In your normal production network, no one should be accessing these honeyfiles. So if someone does gain access to the file and opens or views the information, you may want to have alerts or alarms sent back to a management station so that you know someone is poking around in the honeyfiles who probably should not be there.
And another type of data that might help you identify issues with data that’s being released into the public would be a honeytoken. Honeytokens are a bit of traceable data that you would add to your honeynet. So if that information is copied and distributed, you know exactly where it came from.
For example, you might put API credentials out on a public cloud share to see who may come by and grab those credentials. Of course, these API credentials are not actual usable API credentials. You’ve simply made them up and put them into a file that is then accessed by the attacker.
Or you might have a file that contains a number of fake email addresses. Because these email addresses are not used by anyone, you can constantly monitor for those addresses to appear somewhere else on the internet. And if they do, you can see exactly who posted it, which might give you information about who may be attacking your network.
And of course, these honeytokens can be any type of data that you might falsify and put into an area for an attacker to find. This could be database records, browser cookies, pixels on a web page, or anything else that you could track if it happens to be posted somewhere else on the internet.