How do you detect a security breach inside your network? How do you collect the necessary intelligence to protect your assets properly? Sun Tzu, author of The Art of War, said that convincing your opponents to unveil their identity without knowing that they are being watched is one of the most important keys to winning a war. Attack deception is one of the best techniques to make attackers unveil their identity and gain valuable intelligence. While it is not new, advanced attack deception methods take advantage of Sun Tzu’s strategy.
Cyber deception techniques such as honeypots have been used widely and effectively over the past twenty years, but none of these solutions has been able to change the balance of power between attackers and security professionals.
One of the biggest challenges of cyber deception is making it undetectable, what’s known among GuardiCorians as “Stealth”. Even if you manage to lead the attacker into your honeypot, what if the attacker can easily detect that your deception sensor is not a real machine?
Most of the honeypots available today are based on emulations, which means that they emulate vulnerable services and are not real machines. They can do well with detecting automated attacks, but advanced attackers are unlikely to be distracted by emulated honeypots for long. Take Kippo for example, a well known python based SSH honeypot, which was designed to answer ICMP echo requests for invalid IP addresses like 888.888.888.888 and could be easily detected until fixed. To be able to detect clever attackers requires sophisticated threat deception techniques that are completely undetectable.
So how do we make our solution “stealthy”? How do we keep our honeypot looking like a live machine that naturally fits in the data center?
We’ve identified four key areas that are crucial to a successful, stealthy deception solution:
- Serving a static or dynamic honeypot environments. Believable deceptions must retain a dynamic look and feel otherwise they are spotted and avoided right away. A honeypot machine should seamlessly blend in with its environment in terms of passwords, domains, hostname and so on. At the same time, machines in data centers are usually clones of the same images over and over again that share the same characteristics for a long while. What happens when an attacker returns to the same honeypot he attacked before? Unless the attacked honeypot retains its previous configurations and keeps state of all the attacker’s activities (e.g. malicious file download), the attacker may become suspicious and blow our cover. It becomes even more challenging when the same attacker attacks different honeypot machines. In this case, to avoid a situation of a deja vu, we must provide different machines with different sets of applications to make our honeypot trustworthy. Providing this mix of static and dynamic requires a complex stealthy solution that addresses all possible scenarios.
- Welcoming attackers or playing it hard to get. The basic rule of honeypotting is allowing attackers to get inside. It needs to be possible, or even easy, but if it’s too easy it gets suspicious. Nobody expects to hack into a data center without any obstacles. The simplest example would be brute force attacks. There is a zero chance that your brute force attack script gets the right password after the first or second try. However, a human attacker will probably never try more than 2-3 times. We want to catch as many attacks as possible, without making attackers try to avoid our honeypots. Finding the right balance is not an easy task.
- Separating external from internal deception. At Guardicore we’ve built our deception engine on the concept of separation between two steps of deception: how we look from the outside vs how we look once the attacker is inside the deception machine. We believe that it’s crucial that our deception solution be completely undetectable from the outside. If we can be recognized from a remote machine our chances to catch an attacker drop dramatically, rendering our deception solution irrelevant.
- Keeping your deception engine scalable yet consistent. At Guardicore we’re working on keeping a constant balance between the ability to handle multiple (many!) attacks simultaneously and being consistent with what we serve to each and every attacker. Returning attackers for example are one of the biggest resource challenges for honeypot makers. An attacker that returns to a machine he broke into before would expect to get the same machine serving the same operating system. It gets harder if he had installed any software, placed a file, changed a password or even looked at some log files – these all need to tell the same story when the attacker comes back. Imagine handling all these and serving multiple honeypots while being attacked on all fronts.. The solution is detecting these scenarios in real-time, and focusing on the relevant attacks immediately.
The Guardicore Honeypot
Sounds interesting? Impossible? At Guardicore we’ve created one of the most advanced and innovative honeypot solutions for modern data centers, based on the next generation cyber deception techniques. If you want to check our Data Center Security Suite more closely, drop us a note at www.guardicore.com/contact/.