Honeypots in particular, and Deception techniques in general, have become a useful tool for detecting intrusions into company systems and unravelling the modus operandi of hostile actors
«Know your enemy and know yourself; in a hundred battles, you will never be defeated». Sun Tzu‘s The Art of War is a universal treatise that has defeated time. It has probably also defeated space. Its reflections, originally military, are today grey matter in the best business schools in the world due to their transversality. Because of its competence for any sector and discipline, including, of course, the world of cybersecurity. The Deception techniques are a good proof of this.
In essence, these tools are partly based on the Chinese philosopher’s injunction: Know your enemy so you will be able to defeat him. But they go much further, in fact, because their primary purpose is to detect hostile actors.
Honeypots, among other Deception techniques, are decoys that identify the presence of an unauthorized actor on a company’s systems. A trap, in short, to detect intrusions and, by extension, to analyze their behavior.
Studying the techniques of cybercriminals is a very useful raw material for prevention and for building more resilient cyber-defense structures.
In fact, the most recent statistics on cyber-attacks point to the desirability of implementing a strategy in this field. More than 350,000 malware attacks per day, 300 million ransomware attacks in the first half of the year…
Standing still is no longer an option. Nowadays the bad guys are outnumbered and outwitted. That is why cybersecurity has become one of the central disciplines of this era.
Hunting with the hunters
Few voices are as authoritative as the Threat Hunting team at BlackArrow, the offensive, and defensive services division of Tarlogic Security. A high-level department dedicated to doing just that: scouring the digital worlds for new cyber threats and hostile actors.
They are, to put it bluntly, elite explorers.
A team that works on a daily basis with Honeypots and Deception techniques. Tools that José Lancharro, the director of BlackArrow, describes with a very graphic metaphor:
«A Honeypot is the lure that you present to an intruder in order to entertain him. You give them a toy and thereby achieve two objectives: you keep them away from critical systems and you study their behavior».
And what are these traps? Fake credentials, a fake environment… A hook to identify the presence of an intruder in a company’s network. A proactive solution to the growing volume of threats.
«It’s better to know that someone is inside my systems than not to know. Honeypot and deception techniques help us to do this», he explains.
Lancharro points out that these traps are at the origin of cybersecurity, back in the 1980s. And he alludes to one of the iconic books in the world of hacking to illustrate it, The Cuckoo’s Egg, by Clifford Stoll.
A delightful work (and accessible to all audiences, by the way) based on a real case starring Stoll himself, an eminent physicist and astrologer at the University of Berkeley. The book describes the crusade he undertook in the late 1980s to identify a hacker who had penetrated the Lawrence Berkeley National Laboratory system.
Inspiration for the discipline
The traps he set for him were a kind of inspiration for later generations.
Since then, the discipline has continued to evolve. The director of BlackArrow explains that when it comes to implementing Deception techniques, there are essentially two strategies.
One is to deploy a synthetic service. An attractive candy that is irresistible to hostile actors. A fake VPN, an RDP (remote desktop) service, a secure shell protocol (SSH)…
The second is what is known as a Honeytoken. In short, a trap in the form of data. Most commonly, a password artificially created and exposed to prying eyes, to detect the presence of cybercriminals on the company’s systems.
This tool can be very useful over time to detect intrusions because «nowadays -says Álvaro Jiménez, threat hunter at BlackArrow– there is a market for access to companies and placing a false one will be useful to detect possible intrusions».
The modus operandi will, in any case, be similar with both strategies. When the hostile actor accesses the synthetic environment or uses that Honeytoken, an alert is triggered that alerts Tarlogic‘s Threat Hunting team.
Possible Honeytokens could include, among others:
- Synthetic credentials are injected into memory so that any attempt to authenticate with these credentials generates an alert.
- API keys are delicately embedded in specially designed scripts so that when they are used, they are immediately detected and an investigation is initiated.
- Seemingly sensitive information contained in the LDAP to lure prying eyes and intruders to systems monitored by a Threat Hunting team.
- Decoy files, containing apparently critical information, whose access is being audited.
- Fake business environments such as Treasury, Human Resources, or Payment Gateways, so that an intruder focuses his activities against synthetic services rather than real services, while the Threat Hunting team initiates the relevant investigations.
The range of possibilities is enormous.
What about the bad guy? Doesn’t he know?
At this point, one question seems logical: don’t the bad guys realize it’s a trap? «Yes, but almost always when they have fallen into it -points out Luis Ruiz Mayorga, threat hunter at BlackArrow-. At that point, their ends are further away from materializing».
A multitude of actors is behind these attacks. From cybercriminal groups to youngsters making their first forays into the world of hacking. «Often they are even competitors», warns José Miguel Gómez-Casero, threat hunter manager of Tarlogic‘s offensive and defensive services division.
On the ability to analyse the behaviour of these intruders, all agree that honeypots, or other Deception techniques, are interesting ways to explore their techniques. But only for a relatively short time.
«When they are detected, the natural behavior of a company is to expel them. Nobody takes the risk of leaving them inside the systems even if it could be useful to see how they behave», says José Lancharro.
Over the last few years, different scalable systems have appeared on the market, as Countercraft, that rely on Deception techniques, and Incibe itself has focused on them. However, the Threat Hunting team at BlackArrow believes that before implementing them, a serious analysis of their usefulness is needed.
Why? Because of the risk of being plunged into a reputational crisis. It should be borne in mind that if someone were to discover this synthetic data or service (artificial, but real), they might be tempted to make it public. This would expose the cybersecurity structures of a company or public institution, with the reputational cost that this entails.
That is why José Lancharro believes that, when implementing a honeypot or other Deception techniques, it’s better to do it within the company’s own network. In an environment that is, let’s put it this way, more controlled and less visible to the outside world.
What is clear to the whole team is that these tools are very useful for dealing with the multiple threats that come from the Net. And that is the nuance: they are useful, but by no means infallible.
«Neither honeypot nor deception is a silver bullet. They are just one more aid for prevention and action», they remind us.
In this sense, José Miguel Gómez-Casero qualifies that the profile of a company likely to implement this service includes companies that are perhaps more mature when it comes to understanding the nature of cybersecurity.
«These techniques require an effort of design, deployment, maintenance… It is a complex solution that requires the client to understand the whole process and its obvious usefulness», he concludes.
That is indeed the case. Honeypot. Deception. Or when the good guy’s spy on the bad guys.