Send attackers on a wild goose chase with deception technologies

Midsized companies with revenues from $100 million to $1 billion spent an average of $3 million on information security as of 2014 per “The Global State of Information Security Survey 2015” from PwC.

“I promise you, bad guys are not spending $3 million to break into your organization,” says Allen Harper, chief hacker, Tangible Security. Still information burglars are getting through.

And since 92 percent of IT and security professionals surveyed globally use signature-based antivirus software on their servers, despite AV’s inability to stop advanced threats and targeted attacks, according to Bit9’s 2013 Server Security Survey, exploits such as zero-days, which have no signatures give attackers the upper hand.

To turn the tide, security experts are pressing enterprises to turn to behavior-based approaches where an illicit behavior can identify a probable exploit, whether security software has an example of its ‘fingerprint” or not. Security researchers are updating a behavior-based approach that has been around for decades.

That approach is Deception. Deception identifies an attacker when they exhibit the behavior of simply falling for the Deception, such as by trying to interact with a fake web server that no one with a legitimate business purpose is using. CSO explores the purposes and strengths of Deception together with examples of its technologies and approaches.

Purposes and strengths

“I want the bad guy to expend more effort trying to break in than I expend to keep him out,” says Harper. Deception approaches work to make life harder for an attacker and easier for the enterprise. Used properly, deception will lead cyber criminals to exert increasing amounts of time, effort, and resources to break through your defenses while making it easier for you to detect and dispense with them with less effort.

“Effective deception tools change the behavior of the adversary,” says Harper. They make the work on the cyber hood’s plate pile up while offering no reward for his trouble. His thought processes must adjust because he has to deal with something he wasn’t counting on. You are no longer the low hanging fruit. And it will be easier for him to simply attack another range of IP addresses that belong to someone else.

“Deception keeps the efforts of the defending enterprise at a manageable level,” says Harper. The cyber thug has worked to locate IP addresses and ports that appear to have the servers and services he can benefit from attacking. He has worked to develop specific tools and approaches that routinely prove effective at breaking in and stealing data. He has fine-tuned his ability to stealth his activities.

John Strand, Instructor, SANS Institute

Yet, the ports are bare and the servers and services are phony. Every tool and approach he knows falls flat, going nowhere and rendering nothing. And because he is attacking a deception that has no business use, no one ever goes there but hoodlum hackers, so you can instantly identify him on his first attempt.

Deception technologies and approaches

‘Medium-Interaction’ Honeypots to the Rescue

Honeypots are a form of deception and traditionally come in two varieties, now three if you ask Harper. High-interaction honeypots are fully live systems sitting on the network, set up with real services that an attacker can poke and prod. While the systems do not have any legitimate use, nothing there is fake and so the enterprise would need to institute security and monitoring around it, both to detect when someone has taken the bait and to ensure that an attacker doesn’t make it beyond the honeypot to the rest of the network, explains Harper. “We call it high-interaction because the attacker has a lot to work with,” says Harper.

Another form is the low-interaction honeypot. This kind is entirely phony. “If you break it, it will just crash the application at the end of it,” says Harper. These are rightly called low-interaction honeypots because they don’t keep an attacker fooled / interested for very long.

“Now there’s something in between, which I would call a medium-interaction honeypot. And I think TrapX is a good example of that,” says Harper. (Honey Badger, mentioned later is a similar tool. Dionaea is still another example of a tool for setting up honeypots.)

Medium-interaction tools are tools that are fake and yet give the attacker a lot to work with, so they stay involved longer, you fool them longer, and it gives you more time to learn about them. They can even help you learn enough about an attack like a Zero-Day Exploit to be able to produce a signature for it. For this reason, attackers who realize that a network uses these honeypots will go elsewhere, lest they lose their complex Zero-Day exploit to an antivirus signature, explains Harper.

The Active Defense Harbinger Distribution

The Active Defense Harbinger Distribution (ADHD) is a Linux distribution dedicated to deception. This distribution includes tools such as Honey Badger, Artillery, WebLabyrinth, and Spidertrap. “The Active Defense Harbinger Distribution is designed to make it as easy as possible for someone to utilize these tools and implement them in their own organization, with full step-by-step tutorials built in,” says John Strand, Instructor, SANS Institute.

The Honey Badger tool is a honeypot that purports to offer attackers the administrative functions they want to control. “It has applications in the form of ActiveX controls or Java applets. When the attacker runs them thinking that they’re going to successfully hack into the site, it actually does geolocation on where the hacker is, within 20 meters,” says Strand. The tool estimates geolocation using the technology smartphones use, triangulating position in relation to nearby cell sites and WAPs. This helps legal authorities to act more precisely.

The Artillery tool (Port Spoof, which is also part of ADHD is a similar tool) is a port spoofing tool that will fool an attacker into thinking that every port is open and that something worthy of attack is waiting there. It confuses the attacker, which makes them take longer. In the meantime, the enterprise has more time to detect and learn about the attacker. “Artillery will eventually actively shun an attacker,” says Strand. But it’s not going to shun you arbitrarily, instead setting a threshold that you must meet.

The WebLabyrinth tool works on the assumption that cyber criminals will crawl your website to identify web pages and input fields for exploitation. “WebLabyrinth serves up a whole bunch of fake pages to the bad guy. So whenever they’re trying to crawl the website, their crawling tool just crawls infinitely. It’ll never finish. That forces the bad guy to manually crawl the website instead of trying to use automated tools,” says Strand. It can even crash the attacker’s system. At that point, he may simply give up and go elsewhere.

The Spidertrap tool, similar to WebLabyrinth feeds attackers a list of sensitive directories, making him think that they all exist on this server, baiting them in all the more, causing them to waste more time, according to Strand.