Deciphering Deception Believability
Written by: Carolyn Crandall, Cheif Deception Officer & CMO – Over the last couple of months, I have had the pleasure to work with several leading analyst organizations on deception research and reports. Things had come a long way from 4 years ago when I had to patiently and often, recap why deception wasn’t simply just a honeypot.
The discussions have become much more interesting around deception techniques as well as how the technology has evolved to cover evolving attack surfaces. There are a couple of areas that are worth defining in more detail.
Decoy Authenticity and Credibility:
The first is around credibility and authenticity. There are different approaches taken with deception technology to achieve being attractive and believable to an attacker. There are 2 fundamental approaches to decoy deployment. One using real operating systems and services and the other using emulation for decoy creation.
Emulation, much as the term would lead one to believe, is around emulating the expected environment so that the decoys look like the one would typically expect in the environment. This tends to be a common approach to decoy deployment as it is easy to stand up and in some cases is the only mechanism for creating decoys. Deception providers that choose this method may go beyond offering out-of-the-box emulated deception but also in providing a means for an organization to create their own emulated decoys. This can create better decoys by enhancing the organization’s ability to more closely match the real production environment. Some deception providers provide their own developers kit for building these.
For the optimal authenticity and believability, it is generally preferred to run the same OS, applications in services or the exact “golden image” of the software being run in production. Where that is not possible, emulated decoys are made available and customers can use a wide variety of emulator tools to create the desired emulated images. This is often used for creating IOT and printer emulations and emulated honeypots such as HoneyD. Either choice of a vendor developer kit or 3rdparty emulation kit’s custom image can easily be uploaded for decoy creation.
- This is uniquely possible with Attivo since the ThreatDefend Deception Platform provides full OS VMs so that customers can load any emulator software they want from within the Attivo platform UI onto any VM, whether included or imported, and run it as a custom emulated decoy.
Another type of emulation that one should also be aware of is CVE emulation. Not to be confused with typical decoy preparation and deployment, a CVE emulator provides a way to script specific emulations based on a CVE. This is a native capability in the Attivo deception platform that provides flexibility to project a customized emulated decoy with the CVE vulnerabilities that the user wishes to use. This can be useful in simulating attacks and determining if tools are able to detect them.
Alternatively, organizations that want an exact mirror-match and a high-interaction environment will opt for using real operating systems and services. Think of this as a good, better, best scenario.
- Emulation = good
- Customized emulation = better
- Real OS/Applications = best for attractiveness and authenticity.
Attivo Networks provides and recommends the real OS/Applications approach as it is preferred by customers and provides the highest levels of believability to attackers. One should also not fall for FUD that using this level of authenticity comes at a price. Machine-learning makes the preparation, deployment, and management automated and simple. Gaining this level of authenticity is no harder to deploy than an emulated image. Also, because the images are projected off of one base image, there is no requirement for maintaining and patching software for each individual decoy. Don’t be fooled, ultimate authenticity is not as hard as your adversary may want you to continue to believe.
Credential Lures and Breadcrumbs Authenticity:
Creating decoys that blend in seamlessly with the production environment is critical, as is one’s approach to deploying deception credential lures. There are a variety of different ways to deploy deception credentials and different levels of validation that need to be in place for believability. Active Directory is the most common way for an attacker to check to see if credentials are real and as such, a best practice is to have deception breadcrumbs (credentials) validate within Active Directory (AD).
A useful but sometimes misunderstood tool for testing deception credentials is called HoneypotBuster. In order to dig into how this works, one must research. More information can also be founder here: Source code: https://github.com/JavelinNetworks/HoneypotBuster/blob/master/Invoke-HoneypotBuster.ps1
The most important point I can call out is that there is no such thing as a zero score in HoneypotBuster. Any credential that does match the domain the endpoint is in is skipped and will simply not be listed. This is a common misunderstanding for those that have not dug deeply into the code.
Here is some insight into how it works.
A score of 100 is the worst possible score and a score of 10 is the best possible score for a legitimate credential or authentic lure.
- If a user is not in AD 100 Line code 220-237
- Credentials in AD 10 Line code 238
- Credential does not match endpoint domain 0 Line code 311
Note: Credentials with a Score of 0 are marked as “BreadCrumbs” and therefore are not printed. These are easily identifiable as lures.
A real user credential will also show as 10 as they will validate in AD and be assigned a value of 10. If they are not in AD they will get a score of 100 and fail the HoneypotBuster tool test.
If the credentials are in AD, the tool will go on to test the following items. Points will be added for each condition.
- If a user is part of a privileged group 10 points Line code 239
- If user logon count = 0 25 points Line code 240
- if last logon timestamp = null 35 points Line code 241
- if last logon attribute = 0 24 points Line code 242
- Print the credentials for which type is not equal to “BreadCrumbs” Line code 558
It is important to understand this, and if anyone tells you that a 10 is a bad score and that you should insist on a zero or not shown at all, simply lacks the understanding of how the tool works. Keeping in mind, legitimate credentials will score a 10 and anything that doesn’t validate fails completely.
Attivo offers a comprehensive range of endpoint lure deployment options so that the customer can choose the best method that is suitable for their requirements and leave no trace for an attacker to id.
The following are methods that do not leave any traces.
- The Attivo platform can deploy endpoint lures natively via WMI or many third-party tools in a dissolvable mode that installs the lures and leaves no trace.
- Updating the endpoint lures does not require installing a service, as WMI or third-party tools can update them as well.
- Attivo also offers a non-persistent scheduled task option to deploy and update the lures
The next method is sometimes chosen for a specific purpose and involves deploying a service at the endpoint. There are multiple ways to hide the service.
- The service application and installation script can be named anything the user wants, such as notepad or svrhost, with no indications that it is from Attivo Networks. Users can also sign the endpoint binary with their own code signing certificate.
I appreciate that I am only scratching the surface on how deep the technology goes for breadth and depth of believability and attractiveness. I encourage everyone to read vendor comparison reports, which will help educate on the value of deception, and to talk with Attivo about different options and approaches that can be used to create a comprehensive and attractive deception fabric. It is also worthwhile to look at the management consoles and enterprise features to ensure that the choice of deception will easily scale and maintain believability to meet current and future needs related to multi-cloud environments and the heavily interconnected world we have become.