By Ana Marinez
March 2, 2023
Imagine your home or organization were a bank. A bank goes out of its way to safeguard your money by having security in place. Physical and video surveillance, vaults protecting your assets and armed guards. Similarly, organizations can take proactive steps and techniques to quickly identify, respond and remediate an active attack to their cybersecurity infrastructure. Your organization may not be immune to a breach, threat actor or advanced Persistent Threat (APT) group, however you can prevent an attack by understanding the right techniques and knowledge.
Cyber defenders in organizations find themselves brainstorming ways to keep up with the most current tactics and techniques utilized by threat actors, and to understand which techniques are being employed to attack their organizations. Commonly, these are implemented as signature-based or anomaly-based detections from security tools such as EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), Email Security Platforms, NGFW (Next Generation Firewalls), WAFs (Web Application Firewall), or from a detection engineering team. These implementations are essential to a company’s security program. They provide immense value to companies as a way to protect, defend, alert and help investigate potential intrusions. However, I would like to provide a brief introduction about an additional solution that has been growing in popularity and can provide one of the highest levels of fidelity alerting and indicators of an active compromise. This method is called cyber deception.
What is Cyber Deception?
Cyber deception is a practice used by defenders to actively misguide, identify, and learn about the presence of intruders through the placement of decoys, dupes, and fake resources. I can understand how the “deception” portion may seem a bit intimidating, and it could be… for the attacker that is. Imagine a threat actor trying to break into an organization that not only has prepared itself with standard defenses, but in the case of a successful compromise, they find themselves in a Kevin McCallister’s from Home Alone house situation… just full of traps and tripwires.
Cyber deception is not a new concept. If you have heard of, or implemented Honeypots, then you have already fiddled with cyber deception technologies. Cyber deception can be seen as the encompassing umbrella of all different techniques and solutions defenders can implement to deceive threat actors. This methodology is rooted through common concepts found in military playbooks, historical events and even mythological stories. Attackers implement thorough deception techniques to trick users into clicking a malicious link or running malicious programs for their gain and benefit. Through a Cyber Deception program, defenders can now do a reverse uno and detect these attackers in a methodological and pragmatic manner.
As defenders, we have frameworks that can help us categorize an attacker's Tactic, Techniques and Procedures (TTPs) as well as the stage where an attacker may be at during a compromise. The most common frameworks are MITRE ATT&CK and the cyber Killchain. These frameworks are used to find gaps and detection opportunities in a security program. In addition to this, MITRE also released a new framework, Engage, to help plan, standardize and carry out a top-notch cyber deception program. They also have an ATT&CK mapping matrix to help drive efficient decisions if a company were to also implement an active defensive countermeasures program. These frameworks can be leveraged to help identify the optimal locations to place your cyber deception decoys, as well as what technique to use.
These techniques have changed a lot since honeypots were first introduced. Some of the most common techniques are:
Honeynets and Honeypots
Honeypots are manufactured targets, purposely vulnerable, that help lure attackers away from legitimate targets. Honeypots can provide a mountain of good information for defenders when they want to learn what are the techniques being used by threat actors that are actively trying to compromise their organization. Honeypots can be low-interaction or high-interaction. Low-interaction honeypots are just emulators of services that alert when a malicious interaction is happening against those services. They do not give an attacker access to the underlying operating system, they are easier to deploy but also return less information as to what an attacker is doing. Examples of low-interaction honeypots are honeyd, Conpot, and SNARE. High-interaction honeypots, on the other hand, are complete systems running vulnerable services or decoys that can give an attacker full access if compromised. These will return the most thorough information on what an attacker is doing on a system. They can take considerably more time to deploy but if done properly, they do provide a good return on investment (ROI). High-interaction honeypot deployments can be automated through the use of virtual cloud environments (GCP, AWS, Azure), pre-built images (Packer, docker, etc), and terraform.
Honeynets are collections of different honeypots and can be implemented via multiple hosts running common exploitable services or applications on servers with different roles such as: exchange server, web server and database server. In addition, implementing port-based honeypots (such as KFSensor) in your honeynet can provide great value.
Honey tokens are fake records or decoys that can seem lucrative to an attacker but do not contain any data that could actually harm the organization. Honey tokens can be files, emails, authentication tokens and even credit cards (more on this later).
Honey users are very similar to honey tokens. They are bogus accounts that are not associated with a legitimate user. Since they are fake, no one should be logging in from this account. If authentication attempts or activity from a honey user account is detected, it should be investigated.
Benefits of Cyber Deception
One of the biggest hurdles of a cyber defense team can be identifying what are the high-fidelity alerts or rules that can help their Security Operations Center (SOC) quickly identify that they are dealing with a true positive event. By planting different decoys across a given environment, any access or signal given by this decoy will turn into an extremely high-fidelity alert for the SOC. Of course, false positives can be triggered by curious employees, but these can be considered low volume, and even so, could help an organization identify an insider threat.
Additionally, cyber deception can help provide defenders with early signs of an intrusion and detect breaches where other defensive technologies may have failed. Just think about all the different honey tokens and traps you can deploy across your organization – there can be hundreds. While an attacker has to evade every single decoy, the defenders only need them to trip over a single trap. This type of solution can be incredibly rewarding. Another great benefit for this type of program is that it can help detection engineering, threat intelligence, and threat hunting teams identify new Tactics, Techniques and Procedures (TTPs), and even zero days (which are vulnerabilities that have not been patched or may be unknown by the vendor/author of the affected technology). By identifying new attacker techniques and behaviors, security teams can help improve their detections, identify visibility gaps as well as integrate continuous intel feedback to help drive innovation and improvement of the company’s security program.
There are many open-source software (OSS) projects that can help anyone get started with their own cyber defense project. Open source projects are typically github repositories that are publicly accessible. Anyone around the world can clone the source code and contribute via a pull request to that repository. Collaborating on open-source projects is a great way to build out your digital portfolio and get connected with industry subject matter experts. No experience is required, only time to dedicate to the project and cadence meetings. I will leave some useful links at the end of this blog post.
One of my favorite open-source projects that have emerged for Cyber Deception technologies is Canarytokens. I talked a little bit earlier about honey tokens and how they are baits that you can leave around your environments and just wait until someone interacts with them so you can get an alert. Canarytokens are an incredibly easy way to implement these honey tokens. The Canarytoken project is developed and maintained by Thinkst Canary. They have their own commercial solution, but have also made a large portion of their Canarytokens solutions open source, so it can be implemented and deployed by everyone.
As of this writing there are 22 different Canarytokens you can configure and use as tripwires. These include AWS keys, Microsoft Word documents, PDF documents, web bugs, and even credit cards. To demonstrate how these work, I will create a canarytoken using Thinkst public Canarytoken server.
First I went to https://www.linkedin.com/redir/general-malware-page?url=https%3A%2F%2Fcanarytokens%2eorg%2Fgenerate%23%C2%A0 and selected the “Microsoft Excel document”
On the form I filled out my email and placed some useful information on where this document is going to be placed. That’s so when I get the notification, I know where this decoy was located.
After clicking “Create my Canarytoken”, I was able to download my tripwire.
Next, I placed it under a directory name that seems tempting and renamed the document “employee_directory_2023.xlsx”
After clicking on the document, I immediately get an alert advising my Canarytoken triggered!
As mentioned, Thinkst Applied Research team has made these canarytokens implementation open source, so you can create your own Canarytokens server. They even have a docker image and great documentation to get you started. You can use this with your own company domain and make it even more believable for your organization.
Additional thoughts and resources
There are many ways cyber defenses can be implemented in your organization. Not only to help identify active threats, but also potential ones. As an example, if you or your company want to know if your public repositories in Github are being probed and scanned to find sensitive data (secrets), you could introduce an AWS secret key Canarytoken and place it somewhere in your code. Any future alerts from this token would let you know someone is actively trying to look for ways to get into your AWS environments.
No company, organization or establishment is immune to being breached by a threat actor or Advanced Persistent Threat (APT) group. However, organizations can prepare with these techniques to quickly identify, respond and remediate an active attack.
Cyber deception is not there to replace a company’s existing security tools, but to add another layer to those existing defenses.
Similar to Canarytokens, the cyber community is filled with fantastic selfless individuals and researchers that have provided great resources, documentation and have contributed to projects to help evolve the cyber deception concept. Here’s a few of my favorite resources that can help you get started:
Cyber Deception Courses and Workshops:
Active Defense & Cyber Deception w/ John Strand (Pay what you can)
Active Defense & Cyber Deception | Intro (Free)
SEC550: Cyber Deception - Attack Detection, Disruption and Active Defense (Not free)
Novel Trick or Critical Component: How Does Cyber Deception Fit Into Modern Security Architecture? Talk by the SANS Course author Kevin Fiscus (Free)
Hackers Are People Too: Using Cyber Deception To Combat The Human Element Of Cyber Attacks Talk by the SANS Course author Kevin Fiscus (Free)
Github Repos with More Resources (Open Source Projects)
awesome-threat-detection by 0x4D31
Awesome-Deception by tolgadevsec
Deception as Detection by 0x4D31
MITRE | Engage™
Latinas in Cyber
Latinas In Cyber (LAIC)'s mission is to build a diverse and equitable cybersecurity community for Latinas. If you are interested in learning more or supporting LAIC, reach out or comment below. Work alongside a Latina in Cyber Big Sister and join LAIC's Discord Channel for daily conversations around your digital portfolio, getting started, personal growth, interview and negotiation tips and tricks.