What is Deception and Disruption Technology?
Understand how common types of deception and disruption technologies can be used to capture information on an attacker and their techniques.
— Dusty
Learning Objectives
Understand fundamental security concepts:
- Deception and disruption technology
- Honeypot
- Honeynet
- Honeyfile
- Honeytoken
What is Deception and Disruption technology?
As the name suggests, these technologies intend to deceive attackers so that we can find out more information about them as well as to disrupt their attacks.
When you prevent attacks from happening you don't learn an awful lot, this is why IT security professionals often leave bait to encourage an attack so that they may study the techniques and processes of attackers. This helps them build stronger defences based on real world experience.
We will learn about four common deception and disruption technologies below:
Honeypots
Honeypots are systems setup with intentional vulnerabilities to attract attackers. By acting as a legitimate system honeypots serve as digital bait, waiting to be attacked so that they can record everything an attacker does in their attempt to exploit the system. While the attacker wastes time and resources attempting to exploit these decoys, security teams gain insights into their attack patterns, techniques and commands. This intel is invaluable for improving defenses against the latest threats.
The evolution of honeypots is a testament to the cat-and-mouse game between cybercriminals and security professionals. As attackers become better at identifying honeypots, security professionals will study how they do so and enhance their realism and complexity. This makes it increasingly difficult for malicious actors to distinguish between genuine and fake systems.
There are many different Honeypot options available. Many are open source and free to download or you could make your own.
More info on Honeypots can be found at projecthoneypot.org
Honeynets
Networks in the real world are made up of more than just a single device, this can make honeypots too easy for an attacker to identify as a fake system. This is where Honeynets come in to play.
Honeynets are essentially multiple honeypots combined to make a more realistic bait network. They also have intentional vulnerabilities to tempt attackers so that we can capture information about them and the techniques they use to exploit the network.
Since honeynets are also much larger than a single honeypot, they have the additional benefit of wasting much more of the attackers time and resources as they attempt to exploit the entire network.
Honeyfiles
While honeypots and honeynets simulate legitimate hardware systems to capture information about an attackers techniques, we can extend the deception to the file level with honeyfiles.
Honeyfiles are bait files usually placed within honeypots or honeynets but can also be placed within your real network to act as an Intrusion Detection System or as bait for insider threats. These files are designed to be enticing to attackers (e.g. "passwords.txt") and serve as traps so that when opened by the attacker it will set of an alarm and signal a breach.
They usually contain large amounts of fake but plausible information, creating the illusion of value to the attacker while obscuring its reality as a decoy and wasting more of an attackers' time as they try to go through it. All while the security team has been alerted to their presence.
Honeytoken
Honeytokens are similar to honeyfiles but offer a more granular approach designed to track and identify the attacker. Honey tokens are fake pieces of data that are intended to be attractive while also allowing security professionals to track the data and therefore track the attacker.
They are usually a very unique piece of traceable data embedded in database entries, files, emails or any other asset. This unique piece of traceable data can then be monitored by the security team and since it is not a genuine piece of the organisations data then any tampering or activity of the data would signal that you have been breached or have an insider threat.
In the case that the data is exfiltrated, then if that data were to show up anywhere else across the internet you will be able to identify it based on its unique qualities and find out more about the attacker by investigating who posted it.