You can use “deception technology” to find out. This is a way to trick attackers into stealing resources from your network.
Cyberattackers can be exposed by setting up a trap
After a successful compromise, adversaries often begin ‘in the darkness’, not knowing what systems they have access to, how they use them, and how they are connected to other parts of an organization. TechRepublic was told by Ross Bevington (principal security researcher at the Microsoft Threat Intelligence Center), that adversaries are most likely to probe other services or systems during this recon phase.
This is where deception technology such as honeypots (infrastructure which looks like a database or server but isn’t running a workload), honeytokens and other devices (decoy objects that are used in real workloads you’re already running) comes in. Bevington stated that high-fidelity detection logic can be built by presenting itself as systems and services an attacker is interested, but not used in any business processes.
He explained that deception technology is most effective when it is difficult for remote detection to tell the difference between real and fake systems.
You now know that the attacker is out there. Anyone who attempts to access these resources has no legal reason. This could be a new employee who requires training, but it could also be an attacker.
You can either use deception to detect intrusions, such as a tripwire, but you can also deliberately expose it (which Microsoft does). “…to collect threat intelligence about what adversaries might be doing before compromise,” he stated.
Bevington stated that deception technology has two goals: to increase the cost of the attacker and decrease the cost of the defender.
Some deception techniques require more effort. Bevington shared that many customers customize their lures, traps and decoys to suit their needs.
However, running additional infrastructure can be costly and time-consuming. It must appear legitimate and not copy any sensitive information. Otherwise, the attackers will be able to tell that it is a fake. The security team that runs a honeypot may not always be aware of real-life workloads like admins or operations teams. However, the software engineering teams haven’t had the tools to create these traps yet (even though they are more involved in security with the “shift left” philosophy of Devops).
Honeytokens are fake tokens that you can place in existing workloads. They have legitimate names that match your actual resources. They are easy to use, cost-effective and can be used for as many workloads and as long as you need them. They can be left up for many months or even years once they’re set up without any additional effort, according to Bevington. Tokens are being used more often as a low-cost, high signal method of catching all kinds of adversaries.
Also Read: whats the apu
However, you won’t have a deep understanding about an adversary or their motives when they trip a Honeytoken. A honeypot provides security teams with more information about the attacker.
Bevington says that the type of threat you have will determine which information you require. Honeypots can provide defenders with significant threat intelligence about who and what the attacker wants to accomplish, but at a higher cost because honeypots need CPU and memory. They also require ongoing attention and maintenance. Many organizations don’t require this extra information so they may feel that tokens are sufficient.
Honeytokens made simple
Microsoft has used deception techniques for a long time because many attackers attempt to access Microsoft services and customer accounts. This is part of what Microsoft refers to as its “sensor network”. Bevington stated that “we’ve seen great benefit in embedding technology such as tokens and honeypots within our internal security posture.” Microsoft analysts have been able to identify new threats against Windows and Linux using this deception data. An attacker used the Weave Scope monitoring framework, to compromise containers. Trickbot and Mozi are also exposed in an expose of a Docker API server.
Although it might seem counterintuitive, inviting attackers into Azure Key Vault is actually a way to find out if the service has been properly secured with options such as managed identity. Bevington noted that honeytokens, which pretend to be access credentials and secrets, can offer an adversary a substantial reward. It is important to establish basic security hygiene practices and practices such as MFA and passwordless authentication. Also, make sure to closely monitor alerts for honeytokens and other deception technologies.