Send attackers on a wild goose chase with deception technologies

Deception is an information security approach for identifying and changing attacker behavior, tying up his time, and sending him packing.

Midsized companies with revenues from $100 million to $1 billion spent an average of $3 million on information security as of 2014 per “The Global State of Information Security Survey 2015” from PwC.

“I promise you, bad guys are not spending $3 million to break into your organization,” says Allen Harper, chief hacker, Tangible Security. Still information burglars are getting through.

And since 92 percent of IT and security professionals surveyed globally use signature-based antivirus software on their servers, despite AV’s inability to stop advanced threats and targeted attacks, according to Bit9’s 2013 Server Security Survey, exploits such as zero-days, which have no signatures give attackers the upper hand.

To turn the tide, security experts are pressing enterprises to turn to behavior-based approaches where an illicit behavior can identify a probable exploit, whether security software has an example of its ‘fingerprint” or not. Security researchers are updating a behavior-based approach that has been around for decades.

That approach is Deception. Deception identifies an attacker when they exhibit the behavior of simply falling for the Deception, such as by trying to interact with a fake web server that no one with a legitimate business purpose is using. CSO explores the purposes and strengths of Deception together with examples of its technologies and approaches.

Purposes and strengths

“I want the bad guy to expend more effort trying to break in than I expend to keep him out,” says Harper. Deception approaches work to make life harder for an attacker and easier for the enterprise. Used properly, deception will lead cyber criminals to exert increasing amounts of time, effort, and resources to break through your defenses while making it easier for you to detect and dispense with them with less effort.

“Effective deception tools change the behavior of the adversary,” says Harper. They make the work on the cyber hood’s plate pile up while offering no reward for his trouble. His thought processes must adjust because he has to deal with something he wasn’t counting on. You are no longer the low hanging fruit. And it will be easier for him to simply attack another range of IP addresses that belong to someone else.

[ ALSO ON CSO: 7 sexy legacy deception techniques that still work today ]

“Deception keeps the efforts of the defending enterprise at a manageable level,” says Harper. The cyber thug has worked to locate IP addresses and ports that appear to have the servers and services he can benefit from attacking. He has worked to develop specific tools and approaches that routinely prove effective at breaking in and stealing data. He has fine-tuned his ability to stealth his activities.

John Strand, Instructor, SANS Institute

Yet, the ports are bare and the servers and services are phony. Every tool and approach he knows falls flat, going nowhere and rendering nothing. And because he is attacking a deception that has no business use, no one ever goes there but hoodlum hackers, so you can instantly identify him on his first attempt.

Deception technologies and approaches

‘Medium-Interaction’ Honeypots to the Rescue

Honeypots are a form of deception and traditionally come in two varieties, now three if you ask Harper. High-interaction honeypots are fully live systems sitting on the network, set up with real services that an attacker can poke and prod. While the systems do not have any legitimate use, nothing there is fake and so the enterprise would need to institute security and monitoring around it, both to detect when someone has taken the bait and to ensure that an attacker doesn’t make it beyond the honeypot to the rest of the network, explains Harper. “We call it high-interaction because the attacker has a lot to work with,” says Harper.

Another form is the low-interaction honeypot. This kind is entirely phony. “If you break it, it will just crash the application at the end of it,” says Harper. These are rightly called low-interaction honeypots because they don’t keep an attacker fooled / interested for very long.

“Now there’s something in between, which I would call a medium-interaction honeypot. And I think TrapX is a good example of that,” says Harper. (Honey Badger, mentioned later is a similar tool. Dionaea is still another example of a tool for setting up honeypots.)

Medium-interaction tools are tools that are fake and yet give the attacker a lot to work with, so they stay involved longer, you fool them longer, and it gives you more time to learn about them. They can even help you learn enough about an attack like a Zero-Day Exploit to be able to produce a signature for it. For this reason, attackers who realize that a network uses these honeypots will go elsewhere, lest they lose their complex Zero-Day exploit to an antivirus signature, explains Harper.

The Active Defense Harbinger Distribution

The Active Defense Harbinger Distribution (ADHD) is a Linux distribution dedicated to deception. This distribution includes tools such as Honey Badger, Artillery, WebLabyrinth, and Spidertrap. “The Active Defense Harbinger Distribution is designed to make it as easy as possible for someone to utilize these tools and implement them in their own organization, with full step-by-step tutorials built in,” says John Strand, Instructor, SANS Institute.

The Honey Badger tool is a honeypot that purports to offer attackers the administrative functions they want to control. “It has applications in the form of ActiveX controls or Java applets. When the attacker runs them thinking that they’re going to successfully hack into the site, it actually does geolocation on where the hacker is, within 20 meters,” says Strand. The tool estimates geolocation using the technology smartphones use, triangulating position in relation to nearby cell sites and WAPs. This helps legal authorities to act more precisely.

The Artillery tool (Port Spoof, which is also part of ADHD is a similar tool) is a port spoofing tool that will fool an attacker into thinking that every port is open and that something worthy of attack is waiting there. It confuses the attacker, which makes them take longer. In the meantime, the enterprise has more time to detect and learn about the attacker. “Artillery will eventually actively shun an attacker,” says Strand. But it’s not going to shun you arbitrarily, instead setting a threshold that you must meet.

The WebLabyrinth tool works on the assumption that cyber criminals will crawl your website to identify web pages and input fields for exploitation. “WebLabyrinth serves up a whole bunch of fake pages to the bad guy. So whenever they’re trying to crawl the website, their crawling tool just crawls infinitely. It’ll never finish. That forces the bad guy to manually crawl the website instead of trying to use automated tools,” says Strand. It can even crash the attacker’s system. At that point, he may simply give up and go elsewhere.

The Spidertrap tool, similar to WebLabyrinth feeds attackers a list of sensitive directories, making him think that they all exist on this server, baiting them in all the more, causing them to waste more time, according to Strand.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGoogleLinuxSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place