{"id":2027,"date":"2016-12-22T18:18:41","date_gmt":"2016-12-23T02:18:41","guid":{"rendered":"https:\/\/new.acalvio.com\/?p=2027"},"modified":"2016-12-22T18:18:41","modified_gmt":"2016-12-23T02:18:41","slug":"honeypots-are-dead-long-live-honeypots-part3the-futures-just-changed","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2016\/12\/22\/honeypots-are-dead-long-live-honeypots-part3the-futures-just-changed\/","title":{"rendered":"Honeypots are dead! Long live Honeypots (Part3b\u0000&The Futureb\u0000\u0019s Just Changed)"},"content":{"rendered":"
\nIn days gone past (and arguable in the current timeline we occupy) I would simply launch from the existing machine like an Olympic diver off the high board and go about my merry way for an b\u0000\u001cindustrial averageb\u0000\u001d of 200 days or thereabouts before ANYONE even knows or detects my presence. Thatb\u0000\u0019s 200 days of us, in your systems, harvesting data, reviewing files, modifying data sets, exfiltration anything and everything we need. Thatb\u0000\u0019s akin to having a team of security professionals doing a penetration test against your systems for over 6 monthsb\u0000&
\nHowever the rules are about to change, and the future IS looking a lot bleaker for the attackers. The honeypot is backb\u0000&with a vengeance and a whole slew of new tools itb\u0000\u0019s about to unveil. No longer does the honeypot sit on your network looking like a beacon in the darkness, no longer does the honeypot come in one or two different flavors that an attacker knows by heart, no longer does the honeypot have too may open ports, or too few, or is set up with Windows 7 when your enterprise runs 8b\u0000& The honeypots we now have are nasty, deceptive and are out for revenge.
\nThey are not really honeypots, those would be considered static, itb\u0000\u0019s a simple vessel for holding somethingb\u0000&the new tools have taken a leaf (or in the case of Acalvio theyb\u0000\u0019ve borrowed a wholeB Dionaea muscipula) out of Mother natures rulebook and have gone to the SEALS BUD\/S school.
\nThis new deceptive technology is the equivalent of electronic camouflage. From the outset, even before being introduced to the eventual environment it WILL protect it knows the industries itb\u0000\u0019s working in. It understands the differences between healthcare and financial systems, it knows that a Windows 7 machine looks different than a Windows 8 system, it also knows that a developer machine looks like a more inviting target than a regular desk bound office person. The deceptive system also knows that it takes a lot more than an open Telnet port to entice a nibble from the attacker, this is why it is able to deploy multiple types of lures scattered throughout the enterprise from Registry entries that mimic elevated user accounts, to files on shares, to folders on systems. It can deploy these in a manner that not only blends into your enterprise but also doesnb\u0000\u0019t interfere with it. It also understands what good behavior is as itb\u0000\u0019s learning on the fly from your SIEM\/Log systems.
\nThis technology that is protecting your environment knows and adapts its defenses based on a number of algorithmic formulas that are updated to reflect the ever-changing attack landscape. It understands that the currency of the attacker is data and that too much of it in the wrong place will cause the attacker to quietly remove themselves from the situation, however with the right FTP server, PeopleSoft, Oracle or SAP instance the attacker can be led along a series of avenues that both mask the valuable data the corporation is trying to protect as well as allows for enterprises or government entities to better understand the attack patterns of what is simply now an adversary trapped in a polymorphic maze.
\nNow, at this point any seasoned attacker (be they automated or human) has run sufficient checks against all their target systems to validate their configuration, their architecture and if they are real, fake or possibly an elaborate emulation. This is where the art of deception has taken on a new life. Initial interactions with any of the lures (be they simple files, folders, FTP instances all the way up to fully blown server instances) have been tuned to such an extent that any number of known validation checks will passb\u0000&even on the more complex systems.
\nTaking notes from Mother Nature and the last 100 years of camouflage research we can conclude B humans do not decode visual and technical information as efficiently as we think we do. A broken pattern, or a confusion of depth and flatness caused by illusory shadows, or just a subtle blending of information can make the visible invisible. This technique is applied to the electronic ream in a manner that allows for those lures to appear b\u0000\u001crealb\u0000\u001d and pass all the validation checks, therefore our attacker continues along OUR chosen path.
\nIt is worth noting at this point that our attacker has already tripped several alarms within the enterprise, from the time they accessed the stored and cached credentials on their initial compromised PC, one of our lures, to checking on the file server for industry specific files (ours were blended into the report server output folder) through to the several FTP and Telnet sessions they opened. Let alone the attacker is currently working their way through one of our full deceptions in full view of the enterprise security team.
\nThe one are we have to acknowledge is that deception and camouflage have two purposes:<\/p>\n
    \n
  1. Hiding the real systems and data\n
      \n
    1. Core\/key data stores<\/li>\n
    2. Critical systems that canb\u0000\u0019t be secured<\/li>\n
    3. Edge system in foreign countries<\/li>\n
    4. Critical machines<\/li>\n
    5. Applications<\/li>\n<\/ol>\n<\/li>\n
    6. Showing the false systems and data.\n
        \n
      1. Hosts<\/li>\n
      2. Services<\/li>\n
      3. etc.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

        In days gone past (and arguable in the current timeline we occupy) I would simply launch from the existing machine like an Olympic diver off the high board and go about my merry way for an b\u001cindustrial averageb\u001d of 200 days or thereabouts before ANYONE even knows or detects my presence. Thatb\u0019s 200 days of […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[69,87,109],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2027"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=2027"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2027\/revisions"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=2027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=2027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=2027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}