Honeypots. This simple, but efficient technology has existed for over a decade. Now it has transformed into a major trend of cyber deception in the information security industry. Many cybersecurity companies offer great solutions to dupe and track attackers in real-time, adding new tools for APT hunters.
Since the very beginning of the Honeyd project, I have endorsed careful and well thought out usage of honeypots. Modern deceptive technologies are far more advanced than they used to be years ago. They offer Blue Teams a great wealth of opportunities for timely detection and reliable mitigation of sophisticated intrusions, threat intelligence correlation and proactive data breach prevention. However, deception technologies may unwillingly go beyond certain limits and expose organizations to new risks and dangers.
During the recent presidential elections in France, cybercriminals posted 9GB of files on Pastebin allegedly belonging to [the now elected president] Emmanuel Macron. The response of Macron’s team was fast and quite unusual, firmly saying that the stolen data was fake. Moreover, that they had been aware of this intrusion and were preparing for it for a while to deceive the attackers. These contradictory claims attracted a lot of attention in our industry, which was virtually divided into two camps of admirers and careful skeptics. Assuming that Macron indeed managed to feed 9GB of fake data to the attackers, let’s make a brief analysis of this smart and innovative technique, and the potential pitfalls we should be aware of.
First of all, we should clearly distinguish professional Black Hats from annoying script kiddies. Yes, many of the recent major data breaches were conducted via basic SQL injections unpatched for years, but in cyber deception – we’d rather hunt for serious guys from APT teams. Professional cyber mercenaries are familiar with Game Theory, and since now - they will all assume that they may be deceived by their victims.
While on our side, it would be very time and resource-consuming to build a fake system that would look genuine for experienced Black Hats. Moreover, once the attackers discover the honeypot – they will likely divide themselves into two teams. The first one will distract excited APT hunters by behaving like they were indeed duped. While the second one will successfully attack abandoned systems with your crown jewels. Therefore, by implementing deceptive technologies – you imply that you accept a challenge to run a marathon on a slippery slope covered with fresh ice. Rebuttal of your data breach rebuttal may be even more embarrassing and harmful for your reputation than a simple hack.
Now, let’s assume that you managed to build almost an exact copy of your production system with perfectly forged data. This means that you need to expose a significant amount of personal and other sensitive data. Otherwise, it will unavoidably raise some reasonable doubts with attackers who will certainly re-verify their catch. Building such a set of data is almost unfeasible without using at least some real personal data. In light of GDPR enforcement, did you think what the EU courts will say about intentional and deliberate exposure of personal data?
Mark Barwinski, CISSP, CISM, cybersecurity director at PwC Switzerland, comments: “In this day and age of shortened news cycles and snap sound bites, the challenge of deliberately seeding systems with fake information may prove to be just as damaging to an organization as real data, should it be leaked. What voters may remember is simply that 9GB of files were stolen and released two days before an election, failing to fully grasp key details. Thus, such tactics may not be appropriate in all circumstances alike.”
As you can see from the above – you need to be very prudent and careful when deploying cyber deception systems, and not underestimate your rivals in any manner. Like Bug Bounties, cyber deception systems are suitable mainly for well-prepared organizations with mature cybersecurity systems corroborated with sufficient technical and human resources.
What do you think of his tactics? Head to our Facebook page to let us know.