Hunting hackers with honeypots

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/09/04/hunting-hackers-with-honeypots/

What would it take to gain an upper hand in our efforts to thwart attackers
and limit the damage they can cause?

While preventive techniques are necessary, they are not sufficient.
Additionally, with cyber attacks, time is of essence.

In this post, I discuss a strategy that uses “honeypots” – which are
designed to purposely engage and deceive hackers while identifying
malicious activities – to combine effective deterrence, timely detection,
and dynamic deflection to help mitigate and analyse today’s advanced
threats.

Effective deterrence

Cyber criminals look for the easiest available path when determining where
their exploits will succeed. This means organisations that limit their
exposure to exploitable vulnerabilities are less likely to qualify as
targets for these attackers.

The Target data breach from 2013 is a prime example of this behaviour. The
hackers found a very simple way in, by stealing the credentials of
air-conditioning and refrigeration contractors at several of Target’s
stores. From there the hackers tunnelled across into Target and gained
access to the POS terminals. The lack of effective policy governing the
attack surface meant they could lie undetected as they stole millions’ of
peoples’ credit card data. There are clear ways to stop people employing
this tactic.

Reducing the attack surface begins with an adaptive security model where
granular policies tied to individual workloads ensure that those workloads
are only allowed to access resources necessary for the application’s
legitimate purpose. The underlying principle here is to move from a
blacklist model of “blocking the bad and implicitly allowing everything
else” to a whitelist model that “explicitly permits the good and denies
everything else.”

This containment approach applied at a fine-grained level effectively
reduces the attack surface from the entire network behind the perimeter
down to a specific workload.

If we take the OPM breach as an example, inquiries have revealed that the
malicious actors had lain within the network for between 4 and 6 months and
were only discovered after an upgrade of security detection and monitoring
tools. Over these longer periods of time, it would have been possible to
spot the activity earlier and direct it to a honeypot. Had the specialists
employed adaptive security that redirects traffic to honeypots, they could
have had a closer look, to understand whether the activity was legitimate
or if it was something to be concerned about.

As leaked data continued to be uncovered months after the first
announcements, the OPM staff missed a trick by not gathering the right
intelligence when the first breach came about.

Timely detection and dynamic deflection

It takes organisations far too long to detect cyber attacks. In fact, most
companies take more than six months to detect a data breach. A granular,
whitelist approach to enforcing policies on individual workloads means
potential attacks are immediately detected since there is a precise sense
of what a valid transaction is.

Any deviations from prescribed behaviour can immediately trigger a series
of mitigating actions, including dynamically rerouting the connections to
strategically placed honeypots. This can buy an organisation the time it
needs to analyse attacks within a closely monitored environment.

Honeypots can be used to trap hackers and gather intelligence on their
methods. By letting a hacker inside a controlled environment – a small part
of the network that can be compromised, where no useful or valuable data is
stored – an organisation is able to study and analyse the methods they used
to poke around, giving them a head start on what the attackers will try
next time. The honeypot has become a ‘honeytrap’, coaxing hackers into
deploying their sophisticated tools for security teams to document and
dissect. A great source of knowledge – so long as the hacker is unaware
they’re being watched.

Making honeypots more effective with adaptive security

One reason why honeypots aren’t deployed more extensively is that there is
no opportunity for analysis if they are not in the path of an attack. At
the same time, placing them in the open can generate excessive “noise” from
hackers probing anything with connectivity. Rather than passively waiting
for the honeypots to be attacked, an adaptive security strategy can
redirect attacks to the honeypots.

Another major concern for honeypot designers is that once a honeypot is
compromised, it can be used as a platform to attack and infiltrate other
systems or organisations. Adaptive security, which takes security down to
an individual workload level can isolate and safeguard these honeypots.

Now What?

Risk can never be 100 percent removed. While prevention is ideal, timely
detection and mitigation is an absolute must.

Developing effective mitigation controls to minimise the impact while
gaining deep insight is an important step we should consider as an industry
to better prepare us for the sophistication of future attacks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!