Posted by: John Bradshaw, VP World Wide Sales Engineering –
Now that I work for a Deception Operations vendor, I’ve been catching up on my backlog of reading regarding the technology. I found an interesting article written by Kara Drapala of OpenDNS back on August 6, 2015, (https://blog.opendns.com/2015/08/06/researchers-sweet-on-honeypots-at-blackhat-usa/ ) commenting on the attention Honeypot technologies received at this past year’s BlackHat conference in Las Vegas, NV.
Sadly, this was the first BlackHat conference I have had to miss in a long time (first kid off to college had priority!) so I missed all the buzz around this topic. There are several interesting statements made in the article that generated some thoughts I wanted to share:
First, as noted in my recent blog post (It’s Not Your Daddy’s Honeypot), researchers have taken note of an evolutionary step in Honeypot (ok…now we’re calling it Deception Operations) technology. Why Deception Operations instead of Honeypots? Because a Honeypot typically refers to one component of Deception Operations – the target system; whereas Deception Operations speaks to a wider framework that encompasses the entire organization and the security team’s efforts to divert an attacker’s focus away from valuable company resources or get the attacker to utilize false information that then creates high fidelity/low volume alerts.
This is a fundamental difference in how organizations should evaluate vendors in this space. It reminds me of my musings in Race to the Bottom. If the vendor is “malware focused” or very good at throwing out buzzwords and jargon, you should move on and find a vendor that actually understands how advanced threat actors operate. You ought to be able to think like and understand the motivations of your adversary if you’re going to create a realistic Deception Operation that snares them.
Greg Martin from ThreatStream commented, “Many organizations see honeypots as too complicated to launch and manage over time, and view them primarily as a tool for security researchers”, this is, of course, the responsibility of vendors in this space to educate organizations on new advances in Deception Operations technology. This is specifically the problems TrapX addressed in Phase I of its development of DeceptionGrid™. To overcome that objection, your solution must be scalable, centrally managed, easy to deploy and have the capability to mimic appropriate relevant targets in the enterprise.
Lance Spitzer rightfully commented in WindowSecurity.com “Honeypots all share one huge drawback; they are worthless if no one attacks them”. This is why organizations must consider Honeypots as one part of Deception Operations. Just like fishing for sharks, you cannot just drop a hook in the water; you have to bait the hook…and the more realistic the bait, the better your odds the shark will bite. But shark hunters also chum the water to bring the shark to them.
So tying these two together, your vendor must not only have a strategy for enterprise-wide capability, they must also have expert knowledge in advanced threat activities and a strategy around how to attract that level of adversary.
Haroon Meer of Thinkst believes honeypots are not popular because they do not block attacks. I believe first we should understand that nothing is going to prevent you from being attacked. The question is whether or not the attack is going to be impactful to your organization. In this regard, I think we could have an entertaining debate around whether Deception Operations prevent impactful events in your organization:
- An attacker successfully spear-phishes a user, as the attacker expands his beachhead, he interacts with a Deception Operation decoy (honeypot). While the attacker is investigating this decoy, high fidelity alerts are generated and automated actions isolate the compromised endpoint, new indicators of compromise are gathered by the Deception Operations and are published to network and endpoint monitoring solutions that then proactively block any future attacks from other vectors. As a result, there is no impact to the organization’s operations. Question: Was the Deception Operations a “preventative” solution?
- An attacker again compromises an endpoint and moves to a decoy. There he finds information of interest about the organization (this information is a false flag). The attacker shares this information with others in his advanced threat group, who then attempt to use that information to further their campaign. In doing so, his other teammates trip monitoring technologies that alert on any use of the false flags – even though they did not touch a decoy at all. Appropriate isolation and remediation actions are taken before the incident impacts the organization. Question: Was the Deception Operations a “preventative” solution?
Bottom line: Deception Operations are not a silver bullet – but then again, nothing is. However, with the right vendor, that has the right vision of how Deception Operations play a role in enterprise Security Operations and Incident Response, you will be able to significantly increase detection and prevention capabilities, particularly when dealing with Advanced Targeted Threat groups.
And that’s how you win the war.