THANK YOU FOR SUBSCRIBING
Deception Systems or Honeypots are systems that are designed to be intentionally desirable to attackers while safely alerting defenders to malicious activity. Five or ten years ago I viewed Deception Systems as primarily useful to research-based organization, threat intelligence providers, and the hobbyist. While there was a role for them in an enterprise environment, tooling like EDR or Application Control was the priority. In the last few years, the offerings and opportunities for Deception Systems have matured significantly and should be reconsidered.
A driving factor behind this maturation and subsequently the need for Deception Systems in enterprise environments is the continued evolution of attackers. Attackers have time and again demonstrated the ability to breach environments with sophisticated security programs and go undetected. In addition, the risk of supply chain compromisesimilar to the SolarWinds breach, continues to rise. Finally, there are threat actors out there who have become comfortable targeting and thriving in systems that can’t be instrumented with EDR and other controls. This could include HVAC systems, thermostats, IOT devices, and other non-traditional targets (even a fish tank thermometer) where the Security Team has low visibility.
There are two value propositions worth considering immediately when looking at Deception Systems. The first is in securing third-party points of ingress into your environment, and the second is developing early warning systems for Ransomware.
Third party due diligence has become an increasingly challenging proposition for Security Teams. How do you ensure every aspect of every service your organization uses is fully vetted and secure? Especially when considering the case of a North American Casino breached through their fish tank thermostat. There isn’t the time or resources to complete the due diligence required for every service an organization uses.
"A Powerful Aspect Of Deception Systems Is That It Turns An Attacker’s Interests And Objectives Against Them"
As a result,its important to adopt a mindset shift. There is a realistic possibility an attacker’s first foothold into your organization can occur through a third-party product, service, or point of ingress. That knowledge can empower your defensive strategy. Consider an environment where Deception Systems have been deployed in close proximity to points of third-party ingress. If an attacker breaches your environment through a non-instrumented Internet of Things (IOT) device, their next step is likely persistence and lateral movement. What if there was an intentionally vulnerable server or simulated Domain Controller in the same local IP space? An attackers first few moments of lateral movement, could result in the triggering of a Deception System. This type of high-fidelity alert can immediately let your Security Operation Center (SOC) know something is wrong, and a threat actor is attempting something malicious.
A powerful aspect of Deception Systems is that it turns an attacker’s interests and objectives against them. This creates an opportunity for defenders to turn targets into Indicators of Compromise. A very relevant example of this is Ransomware. We’ve seen instances where Ransomware attacks have sought out financial statements or insurance documentation in victim organizations. Using Deception Systems, we can seed our environment with copies of these documents in readily accessible locations. Business units know where to find the real documents and aren’t likely to interact with our Deception Systems limiting false positives. However,an attacker looking to leverage these sources are more likely to stumble onto them, alerting the SOC to both the threat actor and their intentions. This can be expanded to include tempting file shares, simulated VMWare servers, or other commonly targeted infrastructure. Functionally you can tie the implementation of the Deception System to the tool, tactic, or procedure you need to detect.
These two use cases are just examples, the opportunities to instrument your environment are only limited by your imagination and the threats you face. The net effect of utilizing these types of strategies is that it empowers your SOC to respond faster and with more certainty to threats. It does this while requiring very little maintenance or support to function. Historically most of the Deception Systems that were readily available were Open-Source projects that required some technical skillset to implement and maintain. Today there are commercially available products that are highly streamlined and little to no effort to maintain once implemented. In addition, these products are inexpensive when compared to other solutions Security Teams are commonly pursuing. Open-Source solutions have also progressed significantly and may be worth evaluating alongside of commercial options.
In a threat environment where we regularly see Zero Day exploits being exploited and supply chain compromises occurring, Deception Systems are starting to play a bigger role in providing high fidelity alerting. Long term there may be options to negotiate the placement of Deception Systems into third party vendor environments, as part of vendor diligence. Or the ability to deploy entire packages of Ransomware oriented Deception Systems into your environment. For those teams struggling with how to adapt to the current threat environment, its worthwhile to revisit these solutions and see how they might augment your program.