The content of the article
You've probably heard about honeypots – decoy targets, by attacks on which hackers are calculated. In recent years, this technology has been upgraded and is now collectively referred to as Deception. We will talk about the differences and how hackers are led by the nose.
The word deception is translated from English as deception. This name very accurately reflects the essence of the solution – after all, in order to catch an attacker, traps must be indistinguishable from real services.
Today this technology is represented mainly by foreign – American and Israeli – vendors. Among them, the most famous are TrapX, Illusive Networks, Fidelis, Cymmetria MazeRunner, Canary. Not very good with Russian manufacturers. We have a Security Code Honeypot Manager released in 2009 – not just a honeypot, but also not a full-fledged Deception. There are a couple of fresh full-fledged solutions – Bastion Security Platform, which my colleagues and I are doing at Bastion, and Xello. You can also find several open source programs.
Actually, from the standpoint of a developer, I plan to talk about what Deception is and why it is interesting. But first, let's talk about the forerunner of this technology – honeypots.
Honeypot ("pot of honey") can be considered the first incarnation of Deception technology, and they appeared in the late eighties – early nineties. A honeypot is a networked entity whose sole purpose is to attract an attacker and be attacked.
Honeypot carries no other value in the network in which it is installed; there are no legitimate network interactions with him. When a honeypot is attacked, it captures this and saves all of the attacker's actions. This data further helps to analyze the path of the attacker.
A side goal of the honeypot is to delay the advance of the attacker through the network, forcing him to spend time studying the false resource.
Honeypot can be a full-fledged operating system that emulates an employee's workplace or server, or a separate service.
However, honeypot itself has several disadvantages:
- you need to separately configure each fake server;
- honeypots do not interact with each other and with elements of this infrastructure. They leave no trace and are difficult for a hacker to detect;
- honeypots, as a rule, are not integrated into a centralized system.
This technology was gradually replaced by another, more advanced and intelligent one – Deception.
The essence of deception technology
Deception refers to solutions of the Intrusion Detection System (IDS) class – intrusion detection systems. The main purpose of such a system is to detect attempts of unwanted access to the network. In other words, Deception helps detect network attacks.
What is the difference between Deception and honeypots? A honeypot is a separate network resource that does not interact with anyone, but only waits for the attacker to record his actions. Deception, on the other hand, is a centralized system for managing false network objects, commonly referred to as decoys. Each trap is, in fact, a separate honeypot, but they are all connected to a central server.
Such solutions usually have a convenient interface for managing traps. The operator can create traps with the desired set of emulated network services, in the selected subnet, with the desired method of obtaining an IP address, and so on.
Traps and the services emulated on them maintain a constant connection to the server. Just like honeypots, traps in Deception do not allow for legitimate networking (except with other Deception components).
The trap will inform the server about any attempt to interact with it: this serves as an indicator of an attack. In this case, the operator can instantly receive a notification about the event that has occurred. It will indicate the details of what happened: the address and port of the source and target, the interaction protocol, the response time, and so on.
Deception add-on modules can also provide manual or automated incident response capabilities.
Deception can include other things. Some components help simplify configuration and automation of deployments, others make traps look more like real network services, and others draw the attention of hackers to decoys.
Some components can solve related tasks – for example, respond to incidents, collect indicators of compromise from workstations and search for vulnerable software on them.
An agent is a program that is installed on real user workstations or servers. She knows how to communicate with the Deception server, execute its commands or send useful data to the control center.
Deception solutions include both products that include an agent and those that do without it.
The tasks of an agent may include:
- collection of data on the state of workstations;
- distribution of baits;
- emulation of network activity;
- incident response (manual or automated);
- data collection for forensics;
- something else – to the best of customer needs and the developer's imagination.
It makes sense to make the agent's activities hidden from the person who works at the computer. What for? First, the user can intentionally or accidentally delete the agent or its components.
Secondly, the presence of unknown (or known to a certain extent – if the user is warned about it) software on a workstation can cause a feeling of discomfort.
Thirdly, everything that the user sees will be seen by the attacker who has gained access to this computer. We don't want to show our cards to the attacker, right?
Therefore, agent solutions as part of Deception should be made in such a way that the user does not see either the agent or traces of his activity (or at least try to minimize this).
Therefore, agents usually work in privileged mode, in the form of a driver for Windows or a kernel module in the case of Linux. This allows, for example, to intercept system calls to provide stealth, and also prevents the user from deleting the agent or interfering with his work.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the "Xakep.ru" community.
Join the Xakep.ru community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of "Xakep.ru"