Deception technology. What is Deception and how hackers are deceived now.

[Tomcat]

You've probably heard about honeypots - decoy targets, by attacks on which hackers are calculated. In recent years, this technology has been upgraded and is now collectively referred to as Deception. We will talk about the differences and how hackers are being led by the nose.

The word deception is translated from English as deception. This name very accurately reflects the essence of the solution - after all, in order to catch an attacker, traps must be indistinguishable from real services.

Today this technology is represented mainly by foreign - American and Israeli - vendors. Among them, the most famous are TrapX, Illusive Networks, Fidelis, Cymmetria MazeRunner, Canary. Not very good with Russian manufacturers yet. We have a Security Code Honeypot Manager released in 2009 - not just a honeypot, but also not a full-fledged Deception. There are a couple of fresh full-fledged solutions - Bastion Security Platform, which my colleagues and I are doing at Bastion, and Xello. You can also find several open source programs

Actually, from the standpoint of a developer, I plan to talk about what Deception is and why it is interesting. But first, let's talk about the forerunner of this technology - honeypots.

Honey pots​

Honeypot ("pot of honey") can be considered the first incarnation of the Deception technology, and they appeared in the late eighties - early nineties. A honeypot is a network entity whose sole purpose is to attract an attacker and be attacked.

Honeypot carries no other value in the network in which it is installed; there are no legitimate online interactions with him. When a honeypot is attacked, it captures this and saves all the actions of the attacker. Further, this data helps to analyze the path of the attacker.

A side goal of the honeypot is to delay the advance of the attacker through the network, forcing him to spend time studying the fake resource.

Honeypot can be a full-fledged operating system that emulates an employee's workplace or server, or a separate service.

However, honeypot itself has several disadvantages:

• you need to separately configure each fake server;
• honeypots do not interact with each other and with elements of this infrastructure. They leave no traces and are difficult for a hacker to detect;
• honeypots, as a rule, are not united in a centralized system.

This technology was gradually replaced by another, more advanced and intelligent one - Deception.

The essence of deception technology​

Deception refers to solutions of the Intrusion Detection System (IDS) class - intrusion detection systems. The main purpose of such a system is to detect attempts of unwanted access to the network. In other words, Deception helps detect network attacks.

What is the difference between Deception and honeypots? Honeypot is a separate network resource that does not interact with anyone, but only waits for the attacker to record his actions. Deception is a centralized management system for decoys. Each trap is essentially a separate honeypot, but they are all connected to a central server.

Such solutions usually have a user-friendly interface for managing traps. The operator can create traps with the desired set of emulated network services, in the selected subnet, with the desired method of obtaining an IP address, and so on.

Traps and the services emulated on them maintain a constant connection to the server. Just like honeypots, traps in Deception do not allow for legitimate networking (other than interacting with other Deception components).

The trap will inform the server about any attempt to interact with it: this serves as an indicator of an attack. In this case, the operator can instantly receive a notification about the event that has occurred. It will indicate the details of what happened: the address and port of the source and target, the interaction protocol, the response time, and so on.

Deception add-on modules can also provide manual or automated incident response capabilities.

Deception can include other things. Some components help simplify configuration and automation of deployments, others make traps look more like real network services, and others draw the attention of hackers to decoys.

Some components can solve related tasks - for example, respond to incidents, collect indicators of compromise from workstations and search for vulnerable software on them.

Agents​

An agent is a program that is installed on real user workstations or servers. She knows how to communicate with the Deception server, execute its commands or send useful data to the control center.

Deception solutions include both products that include an agent and those that do without it.

The agent's tasks may include:

• collection of data on the state of workstations;
• distribution of baits;
• emulation of network activity;
• incident response (manual or automated);
• data collection for forensics;
• something else - to the best of the needs of customers and the imagination of the developer.

It makes sense to make the agent's activity hidden from the person who works at the computer. What for? First, the user can intentionally or accidentally delete the agent or its components.

Secondly, the presence of unknown (or known to a certain extent - if the user is warned about it) software on a workstation can cause a feeling of discomfort.

Thirdly, everything that the user sees will be seen by the attacker who has gained access to this computer. We don't want to show our cards to the attacker, right?

Therefore, agent solutions as part of Deception should be done in such a way that the user does not see either the agent or traces of his activity (or at least try to minimize this).

Therefore, agents usually work in privileged mode, in the form of a driver for Windows or a kernel module in the case of Linux. This allows, for example, to intercept system calls to provide stealth, and also prevents the user from deleting the agent or interfering with his work.

Mimicry techniques​

The goal of Deception as a technology is to convince the attacker that all traps and interactions between them are real, valuable and exploitable, and to make decoys attractive to attack. In modern systems, there are a number of components that are responsible for these purposes.

Bait​

To make the attacker more likely to stumble upon a trap, you can push him to this. How? To do this, Deception uses decoys, or bread crumbs.

A decoy is an object that is placed on a real workstation, discreetly or not. The decoy looks like something ordinary and attractive to the attacker ("accidentally" forgotten password file, saved session, browser bookmark, registry entry, mounted ball, etc.). The decoy contains a link and data to access a fake network resource.

An attacker, having found such a link and authorization data, of course, will want to check what kind of service it is. He enters the trap, and an incident alarm goes off.

The types and methods of placing the bait depend on the type of trap to which the bait is leading.

Decoys can be distributed in several ways. If there are agents in the Deception, the task of spreading the baits is assigned to them. In this case, the process can be easily automated: the management server sends a command to the agent, and the agent takes the necessary steps to install the decoy.

If there are no agents, the Deception solution can offer ready-made scripts that will need to be manually executed on workstations. This approach has obvious drawbacks: for example, when reconfiguring traps, there is no way to automatically update decoys on workstations, while agents allow you to do this.

The interaction of real PC users with decoys should be limited as much as possible. However, it is also impossible to hide false targets too much. If an attacker cannot find them, what are they for?

And of course, the bait must be believable. If we put an SSH decoy on the accountant's computer, it could raise the suspicions of an attacker.

Often, the bait contains authorization data to access the trap - a username and password or a key. But how do you put them together to make them look believable? This is where the idea of keeping a database of fake users inside Deception appears.

False users​

So, we want to substitute authorization data in the decoy that is as close as possible to the real one. That said, user data looks different in every organization. Everyone has different login formats (for example, logins of the form "first letter of the name - dot - surname" in Latin characters are often encountered). Everyone has different password policies. For some decoys, you may need a postal address, domain address, or something else. How to be?

The problem can be solved by maintaining a database of false network users. There are different approaches to maintaining such a database.

For example, Deception can be integrated with a traffic analysis system. This makes it possible to recognize the presence of authorization data in network traffic, find common features in them and generate users similar to real ones, according to the identified rules.

If there is no such integration, generating users according to manually set rules seems to be a good solution. These rules may include choosing a specific dictionary of names, setting a template for a login, setting rules for generating a password (the presence of special characters, minimum length, generating memorable passwords, choosing passwords from a dictionary, and so on), setting a domain address, a mail server.

This approach can be useful if the company uses Deception to protect branches located in different countries. Then, say, for the Russian branch, the false users may have names from the Russian dictionary, and for the Chinese - from the Chinese.

When a false user base is formed, Deception can use it to create decoys. For greater realism, you can make a connection between the agent and the fake user so that all the baits placed on this agent are on behalf of one person.

Networking emulation​

If traditional honeypots exist on their own, do not interact with anything and do not leave traces on the network, then the Deception technology is aimed, among other things, at pushing the attacker to interact with the trap.

To do this, the attacker must be told where to look for the trap and make him think that this is a real service. Imagine that you have found a certain service on the network, and the result of passive sniffing shows that no one ever interacts with it. Suspicious? Yes!

Therefore, one of the features of Deception is the ability to actively emulate network interaction. Any points within the system can interact: traps with traps, agents with traps. The implementation depends on the specific solution and can include both interaction with simple TCP / UDP packets and data transfer over some high-level protocol.

The specifics will depend on the type of trap. For example, you can teach an agent to walk into a trap that emulates SSH at regular intervals, to authenticate on it, and even execute some commands.

An important detail: I said above that the hook notifies about any attempts to connect to it and sends a notification about this to the server. And about emulation connections too! A mechanism must be built into the Deception server that can distinguish between real security events.

Emulation, by the way, overlaps with the idea of decoys to some extent. There are network protocols that imply the transfer of authorization data in cleartext (for example, FTP). Emulating an FTP connection will work in the same way as a decoy: we feed the attacker who listens on the traffic with the login and password to access the trap.

Use this functionality with caution. A hacker may suspect that something is amiss when analyzing the traffic: for example, that all requests are the same, occur too often, have an atypical length, or other parameters. When developing and configuring Deception systems, you need to take into account these nuances: introduce randomization or other masking methods.

Additional components​

As I said, a wide variety of elements can be included in Deception. I will dwell on the two most relevant ones - automatic deployment and data collection from workstations.

Automatic deployment​

One of the potential problems with Deception is the laboriousness of initial configuration. Without automatic deployment, when installing Deception on the network, you would have to manually define a list of traps and emulated services, configure them correctly, and create and place decoys for each trap. Great job!

At the same time, it is impossible to take and make a typical solution in order to put it to each client. Each organization has its own set of network resources that it makes sense to place in the form of traps. If the company's network is small, then one specialist can handle it, but what if Deception is set for itself by a large company? It can have many subnets that need to be set up with traps. Each subnet can have its own set of typical resources. So the idea of automating the deployment suggests itself.

You can think of several implementations. For example, if Deception is integrated with a traffic analysis system (as in the example with fake users), the system will be able to receive data on which protocols are used for communication in each separate subnet. Based on this information, Deception can automatically set the right types of traps in the right amount and even update the false network layer itself when adding new real resources.

If there is no such integration, the problem can be solved differently. Deception Server performs an active scan of the network, getting information about open ports on real machines, or passively listening for traffic where possible. The collected information will be used by Deception to automatically set traps.

The third method is even simpler, but does not completely eliminate the need for manual work. Instead of manually creating and configuring individual traps, the operator can be provided with a way to select the preferred list of network services and the expected number of traps. Then the installation and configuration will be performed automatically according to the template.

Collecting data from workstations​

Deception can be more than just an attack detection tool. The presence of agents allows the system to take on other tasks as well. One of them is the agent's collection of data about the software installed on computers, including the version and date of installation. The results can be compared with CVE databases and warn in time that there is a serious vulnerability in the version of the program being used.

On the other hand, the agent can collect data for forensics (incident investigation). When a trap detects an attack originating from a workstation with an agent, Deception can match the data from the trap (time, connection source port) with the information that the agent possesses. Thus, you can get useful information about the attack: which process launched it, how it got on the computer, and so on.

The agent can also collect various indicators of compromise on the employee's workstation. This would make it possible to receive notifications even before the attacker proceeds to take active actions on the network.

Conclusion​

Deception is a relatively new technology, and solutions of this class appeared on the market not so long ago, but it is gradually gaining popularity. Deception does not replace standard, generally accepted information security systems, but complements security systems, allowing you to detect attacks that bypassed all other means.

However, it is a very flexible system, and due to its integration with other information security tools, it provides ample opportunities for detecting attacks. Various mechanisms for inventorying network assets, incident response, and more can be built into Deception. The effectiveness of this system depends on how it is designed and configured. If everything is done correctly, the attacker will not guess that this is a fake target. And even if he can, it will be too late for him.

Deception will forgive any configuration errors: even if there are indirect signs by which an attacker can distinguish a trap, the system remains quite effective. But you shouldn't forget about the correct setting!

If you doubt whether your company needs this technology, you can install a trial version of any of the solutions (including ours!). If you are on the side of pentesters and redtimers, then I hope you appreciated our efforts in making your life more difficult!