Acalvio Staging

Honeypots are dead. Long live honeypots…

Honeypots are dead. Long live honeypots…

Hi, I’m the resident hacker. These are thoughts from that point of view.
Early Honeypots were not much of a success. This was deception fail, call it Deception 1.0b&It was a great idea, good science experiment, but ultimately didn’t stop much…and was not the honeypot that kept the likes of me out of your environment….. OK for a first try in the early days….not so great in the modern era…..

Early Honeypots were not much of a success. This was deception fail, call it Deception 1.0b&It was a great idea, good science experiment, but ultimately didn’t stop much…and was not the honeypot that kept the likes of me out of your environment….. OK for a first try in the early days….not so great in the modern era…..

Honeypots are DEAD! Long live Honeypots.

OK, this is going to be a 4-part set of thoughtsb&.

  • Honeypots are dead! Long live Honeypots (Part1b&Many Targets One Access Point)
  • Honeypots are dead! Long live Honeypots (Part2b&Landed, Now What?)
  • Honeypots are dead! Long live Honeypots (Part3b&The Futurebs Just Changed)
  • Honeypots are dead! Long live Honeypots (Part4b&The Crystal Ball)

Some overall thoughts:

You canbt stop us from getting in. Simple truth, and debatable for as long as you like, for every instance you give us of a technology that is bmeant to be a barrierb we will give you several ways past that illusionary roadblock.

  • You put a firewall in place; we went past those in the 90bs and never looked back.
  • You put IDS/IPS in place and we can bypass that.
  • You use DLP, but you leave port 80 open for web traffic, or you donbt filterb& we can exfiltrate anything.
  • You have bdeep packet inspectionb but webve been bypassing that since 2012.
  • You have patchesb&congratulations we have 0Days.
  • You have Antivirusb&congratulations itbs at best 3-7% effective and half the time is disabled.
  • You have endpoint protection, but logs are local and nobody reviews them.
  • You have SIEM fully installedb&and you have more alerts than a full team of minions can handle.
  • You have IoT; we now have an entire landscape of attack vectors that are unmonitored.
  • You have built in encryption, but the computer is ON which bypasses it.
  • You WOULD have policies, procedures and controls IF you could all agree and not fight.

YOU have to be successful 100% of the time; we only have to get lucky once.
There are obviously a lot more facets to this argument, but overall this is a game of chess and you are missing your queen and your rooks.
We will use the basic building blocks of an attack scenario that is well understood within the Information Security industry as following:

  1. Initial Reconnaissance (OSINT, SIGINT, HUMINT, Actual Threat Intelligence)
  2. Initial Compromise (HOW to get into you, what is the trigger?)
  3. Establish Footholds (Maintaining persistence)
  4. Escalate Privileges (All your ADMIN accounts belong to us)
  5. Additional Reconnaissance where we will move laterally and continue to maintain presence
  6. Complete (Successful exfiltration of your data)

So, at this point we have set our stage, given the initial entry vectors, proved we can get TO that initial system, next blog will go into the howbs and wherebs and whatsb&.and obviously what we CAN do to stop this never ending cycle.

Team Acalvio

, , , ,