DECEPTION TECHNOLOGY: traps for hackers.
While a couple of decades ago, classic antivirus was enough to ensure cybersecurity, nowadays not only network and host-based defenses are used, but also a number of other systems that help identify attackers.
These systems include new solutions of the DDP (Distributed Deception Platform) class, whose purpose is to create a false infrastructure with which a hacker will interact. The task of the DDP platform is not only to create a distributed infrastructure of false targets to divert the attacker’s attention, but also to signal the information security officer about the penetration of the perimeter and the beginning of malicious activity.
When the system is deployed, decoys are created that will contain fake accounts with administrator privileges in various systems and services, from Active Directory (AD) to browsers. It is also possible to customize traps that will mimic information systems where sensitive data is supposedly processed. This will help disorient an attacker and identify his actions when he tries to use false assets to develop an attack.
The purpose of placing traps is to attract the attacker’s attention, divert it away from real enterprise resources and keep it busy for a while, while gathering information about the attacker’s location, tools and attack methods – in other words, everything necessary to detect and stop a missed attack. Traps range in complexity from simulating simple network services such as SMB, RDP, SSH, HTTP(S), MySQL and others, to simulating devices such as switches, ATMs, POS terminals, Internet of Things (IoT) devices, medical equipment and SCADA systems. And the number of traps placed in an enterprise network can reach several thousand. Thus, an attacker will inevitably encounter traps when scouting the network or following decoys. Lures, or breadcrumbs, are fake data placed on real network devices, such as RDP credentials in the Windows Credentials Manager, SSH credentials in command history, web application credentials in cookies, and so on. Another example would be false data sets, such as confidential documents, databases, which would be of interest to attackers. Attacker deception techniques are most effective in the early stages of an attack, when attackers collect infrastructure data, analyze it, and use it to move horizontally across the network. At the same time, the use of deception techniques is potentially possible at all stages of an attack using the Cyber Kill Chain model. A fake infrastructure layer created using traps and decoys allows the attackers’ tactics to be used against them.
It should be noted that this class of defenses is intended to be the last line of defense for enterprises when an attacker has gained access to enterprise resources by overcoming all echelons of defense.
