Deception technologies and approaches
Medium-Interaction' Honeypots to the Rescue
Honeypots are a form of deception and traditionally come in two varieties, now three if you ask Harper. High-interaction honeypots are fully live systems sitting on the network, set up with real services that an attacker can poke and prod. While the systems do not have any legitimate use, nothing there is fake and so the enterprise would need to institute security and monitoring around it, both to detect when someone has taken the bait and to ensure that an attacker doesn't make it beyond the honeypot to the rest of the network, explains Harper. "We call it high-interaction because the attacker has a lot to work with," says Harper.
Another form is the low-interaction honeypot. This kind is entirely phony. "If you break it, it will just crash the application at the end of it," says Harper. These are rightly called low-interaction honeypots because they don't keep an attacker fooled / interested for very long.
"Now there's something in between, which I would call a medium-interaction honeypot. And I think TrapX is a good example of that," says Harper. (Honey Badger, mentioned later is a similar tool. Dionaea is still another example of a tool for setting up honeypots.)
Medium-interaction tools are tools that are fake and yet give the attacker a lot to work with, so they stay involved longer, you fool them longer, and it gives you more time to learn about them. They can even help you learn enough about an attack like a Zero-Day Exploit to be able to produce a signature for it. For this reason, attackers who realize that a network uses these honeypots will go elsewhere, lest they lose their complex Zero-Day exploit to an antivirus signature, explains Harper.
The Active Defense Harbinger Distribution
The Active Defense Harbinger Distribution (ADHD) is a Linux distribution dedicated to deception. This distribution includes tools such as Honey Badger, Artillery, WebLabyrinth, and Spidertrap. "The Active Defense Harbinger Distribution is designed to make it as easy as possible for someone to utilize these tools and implement them in their own organization, with full step-by-step tutorials built in," says John Strand, Instructor, SANS Institute.
The Honey Badger tool is a honeypot that purports to offer attackers the administrative functions they want to control. "It has applications in the form of ActiveX controls or Java applets. When the attacker runs them thinking that they're going to successfully hack into the site, it actually does geolocation on where the hacker is, within 20 meters," says Strand. The tool estimates geolocation using the technology smartphones use, triangulating position in relation to nearby cell sites and WAPs. This helps legal authorities to act more precisely.
Sign up for CIO Asia eNewsletters.