Many industry observers have noticed that deception approaches are re-emerging in the collective attention of the operational [as opposed to research] security industry and community (“cyber”- community?). We even have a paper to prove it [Gartner access required].
Frankly, I’ve been working on this post for a long time – and it has been tearing at my soul. Let me first explain why – please treat this section as my “self-psycho-analysis by blog.” :–) As you know, I’ve been involved with The Honeynet Project since 2002 and deception approaches are very dear to my heart. On the other hand, I am well aware that many organizations’ security teams can barely keep their heads above water in such “strategic” activities as patching Windows and cleaning up infected machines – and they are in no shape to engage the attackers with deception approaches.
Let me try to do both – so the focus on DECEPTION AS DETECTION. For now, let’s forget about the sneaky deception tools and advanced high-interaction honeypotting tactics and think “can deception make our threat detection better?”
Why, yes, it can happen! Here is how:
- Honeypots [if deployed right] may give better detection signal/noise ratio since all activity there is either malicious or at least unintentional, so you can hope for some low “false negative” signal [in theory]
- Those who are failing to implement comprehensive monitoring can instrument a few “super-monitored” locations – honeypots – and hope that the attacker may touch them at some point while wandering around your environment
- In particular, most organizations have really bad internal network visibility, and a few “honey-sensors” may provide a small boost to such visibility – by detecting the internal recon activities, funky SMB sessions, other lateral movements, etc
- Honeytokens present a similar “crutch” for poorly monitored data locations: while it would be nice to monitor all data access, if you can monitor access to those planted records, you have some chance of detecting badness [so, the idea is ‘touch this – means bad; touch any other server — we have no idea what it means and have no time to investigate’]
- It is also easy to use a honeypot to create [admittedly, a mediocre] internal threat intel factory: automatically capture malware, extract indicators, and rapidly shove them into other detection tools, such as SIEM, EDR, etc [you may sometimes beat your threat intelligence vendor by hours if not days with this method]
Of course, “honey-things” and deception can also help you learn more about the attackers’ tools and tactics, gather other rich context information about their behaviors, degrade their situational awareness (so cool!) and do great many other fun things– however, those actually require hard work and are most definitely NOT for everybody….
P.S. My more astute readers will notice that every bullet point above contains “may”, “hope” and other weak words. This is by design! All of these honeypot / deception benefits may give you a boost to detection and you can hope to catch threats faster – unlike, say, the approach of “monitor / analyze everything” that will give you a boost and enable better threat detection…
P.S. Mr honeytoken inventor, got anything to add?