{"id":2013,"date":"2016-10-19T19:08:02","date_gmt":"2016-10-20T02:08:02","guid":{"rendered":"https:\/\/new.acalvio.com\/?p=2013"},"modified":"2016-10-19T19:08:02","modified_gmt":"2016-10-20T02:08:02","slug":"honeypots-are-dead-long-live-honeypots","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2016\/10\/19\/honeypots-are-dead-long-live-honeypots\/","title":{"rendered":"Honeypots are dead. Long live honeypots&#8230;"},"content":{"rendered":"<p>Hi, I&#8217;m the resident hacker. These are thoughts from that point of view.<br \/>\nEarly Honeypots were not much of a success. This was deception fail, call it Deception 1.0b\u0000&#038;It was a great idea, good science experiment, but ultimately didn&#8217;t stop much&#8230;and was not the honeypot that kept the likes of me out of your environment&#8230;.. OK for a first try in the early days&#8230;.not so great in the modern era&#8230;..<br \/>\n<img loading=\"lazy\" class=\"aligncenter size-full wp-image-2015\" src=\"https:\/\/new.acalvio.com\/wp-content\/uploads\/2018\/03\/sealswamp.png\" alt=\"\" width=\"640\" height=\"323\" srcset=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/sealswamp.png 640w, https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/03\/sealswamp-300x151.png 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><br \/>\nEarly Honeypots were not much of a success. This was deception fail, call it Deception 1.0b\u0000&#038;It was a great idea, good science experiment, but ultimately didn&#8217;t stop much&#8230;and was not the honeypot that kept the likes of me out of your environment&#8230;.. OK for a first try in the early days&#8230;.not so great in the modern era&#8230;..<\/p>\n<div class=\"section post-body\">\n<h1>Honeypots are DEAD! Long live Honeypots.<\/h1>\n<p>OK, this is going to be a 4-part set of thoughtsb\u0000&#038;.<\/p>\n<ul>\n<li>Honeypots are dead! Long live Honeypots (Part1b\u0000&#038;Many Targets One Access Point)<\/li>\n<li>Honeypots are dead! Long live Honeypots (Part2b\u0000&#038;Landed, Now What?)<\/li>\n<li>Honeypots are dead! Long live Honeypots (Part3b\u0000&#038;The Futureb\u0000\u0019s Just Changed)<\/li>\n<li>Honeypots are dead! Long live Honeypots (Part4b\u0000&#038;The Crystal Ball)<\/li>\n<\/ul>\n<h2>Some overall thoughts:<\/h2>\n<p>You canb\u0000\u0019t stop us from getting in. Simple truth, and debatable for as long as you like, for every instance you give us of a technology that is b\u0000\u001cmeant to be a barrierb\u0000\u001d we will give you several ways past that illusionary roadblock.<\/p>\n<ul>\n<li>You put a firewall in place; we went past those in the 90b\u0000\u0019s and never looked back.<\/li>\n<li>You put IDS\/IPS in place and we can bypass that.<\/li>\n<li>You use DLP, but you leave port 80 open for web traffic, or you donb\u0000\u0019t filterb\u0000&#038; we can exfiltrate anything.<\/li>\n<li>You have b\u0000\u001cdeep packet inspectionb\u0000\u001d but web\u0000\u0019ve been bypassing that since 2012.<\/li>\n<li>You have patchesb\u0000&#038;congratulations we have 0Days.<\/li>\n<li>You have Antivirusb\u0000&#038;congratulations itb\u0000\u0019s at best 3-7% effective and half the time is disabled.<\/li>\n<li>You have endpoint protection, but logs are local and nobody reviews them.<\/li>\n<li>You have SIEM fully installedb\u0000&#038;and you have more alerts than a full team of minions can handle.<\/li>\n<li>You have IoT; we now have an entire landscape of attack vectors that are unmonitored.<\/li>\n<li>You have built in encryption, but the computer is ON which bypasses it.<\/li>\n<li>You WOULD have policies, procedures and controls IF you could all agree and not fight.<\/li>\n<\/ul>\n<p><strong><em>YOU have to be successful 100% of the time; we only have to get lucky once.<\/em><\/strong><br \/>\nThere are obviously a lot more facets to this argument, but overall this is a game of chess and you are missing your queen and your rooks.<br \/>\nWe will use the basic building blocks of an attack scenario that is well understood within the Information Security industry as following:<\/p>\n<ol>\n<li>Initial Reconnaissance (OSINT, SIGINT, HUMINT, Actual Threat Intelligence)<\/li>\n<li>Initial Compromise (HOW to get into you, what is the trigger?)<\/li>\n<li>Establish Footholds (Maintaining persistence)<\/li>\n<li>Escalate Privileges (All your ADMIN accounts belong to us)<\/li>\n<li>Additional Reconnaissance where we will move laterally and continue to maintain presence<\/li>\n<li>Complete (Successful exfiltration of your data)<\/li>\n<\/ol>\n<p class=\"p1\"><span class=\"s1\">So, at this point we have set our stage, given the initial entry vectors, proved we can get TO that initial system, next blog will go into the howb\u0000\u0019s and whereb\u0000\u0019s and whatsb\u0000&#038;.and obviously what we CAN do to stop this never ending cycle.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Hi, I&#8217;m the resident hacker. These are thoughts from that point of view. Early Honeypots were not much of a success. This was deception fail, call it Deception 1.0b&#038;It was a great idea, good science experiment, but ultimately didn&#8217;t stop much&#8230;and was not the honeypot that kept the likes of me out of your environment&#8230;.. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2014,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[87,91,108,109,130],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2013"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=2013"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2013\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media\/2014"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=2013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=2013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=2013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}