GLOBAL RESEARCH SYNDICATE
No Result
View All Result
  • Login
  • Latest News
  • Consumer Research
  • Survey Research
  • Marketing Research
  • Industry Research
  • Data Collection
  • More
    • Data Analysis
    • Market Insights
  • Latest News
  • Consumer Research
  • Survey Research
  • Marketing Research
  • Industry Research
  • Data Collection
  • More
    • Data Analysis
    • Market Insights
No Result
View All Result
globalresearchsyndicate
No Result
View All Result
Home Data Collection

Deploying Deception in the Enterprise Network

globalresearchsyndicate by globalresearchsyndicate
May 21, 2020
in Data Collection
0
Deploying Deception in the Enterprise Network
0
SHARES
5
VIEWS
Share on FacebookShare on Twitter

The goal is to have a deception layer that blends into your current environment and adapts itself as the real network changes. Here’s how.

The concept of honey pots and deception in IT security has been around for about two decades. The idea is to place a fake asset in your network and then wait for attackers to interact with it. No one is supposed to know about this fake asset, so any access to it is a high-fidelity alert. This is a great idea in theory, but like the saying goes, the devil is in the details. For example, there are drawbacks that made honey pot deployment not worth the effort. The main challenges:

  • Authenticity – how to make the honey pots believable and to look part of the real network
  • Attractiveness – how to make them known and attractive to attackers, and
  • Scalability – how to scale the deployment and not have it interfere with your regular network.

Organizations can overcome these challenges and deploy an attractive and authentic deception layer as part of its corporate network. SANS’ Implementing Deception Technologies guide provides an overview on how deception technologies can significantly improve an organization’s capabilities to swiftly and accurately detect attackers, while at the same time collect sufficient threat intelligence and attack attribution information to improve response effectiveness.

The goal is to have a deception layer that blends into your current environment and adapts itself as the real network changes. For that, you first need to understand and identify your current environment. Based on your existing assets and network traffic, you can build advanced terrains maps that include breakdown of the assets into subnets, operating systems, roles and services. Once you have this knowledge about your current environment, you can start to deploy the deception layer.

Step 1: Decoys

The decoys are fake assets that you create in the network. Based on your network profile, you deploy decoys that blend into your existing environment, such as workstations decoys on the user networks and server decoys on the server networks. For the relevant networks, you can also deploy IOT decoys for printers, routers, cameras, etc. To make each decoy authentic, it must mimic the real assets in the network. This includes the domain that it registers to, the services it publishes, the ports it has opens, the file system it reveals, the network traffic it exposes and the network fingerprint.

When deploying decoys, you will need to choose between different interaction levels of the decoys. A low interaction decoy is a very basic decoy that listens to traffic and does not interact with the attacker on the application level, basically a port listener. A high interaction decoy (a.k.a. a REALOs Decoy) can be a full real physical or virtual machine that acts as a decoy server with all its actions monitored. Each of the two interaction levels has both advantages and disadvantages. The middle ground is an emulation-based decoy that acts as a server that emulates the different services of the decoys. An emulated decoy can very easily control the ports that are open, the services running and the data the decoy holds. Our recommendation is to spread many emulated decoys around the network to mimic the different networks and add some RealOS Decoys in strategic points in the network. Based on the organization, you can deploy hundreds or thousands of decoys inside the network, each with a different operating system and role.

Step 2: Breadcrumbs

To make decoys look real and attractive, security teams deploy breadcrumbs, which are pieces of information placed on the real assets that lead the attacker to the decoys. When an attacker is inside your network, they will look for the safest next hop based on the information it has. The breadcrumbs show usage of the decoy services by holding information and credentials for those services. Some examples are recent documents, configuration files, and credentials. Like the decoys, the breadcrumbs should blend into the environment and should be relevant to the asset and the applications it has running on it. Presenting SSH keys on a computer that does not have an SSH client installed make the keys look suspicious and can give the attacker a red flag to not visit that SSH server.

Step 3: Network Deception

Another way to make the decoys attractive and authentic is to generate network deception. This includes different types of traffic that will lure the attacker towards the decoy. The decoys will publish themselves in different ways to make sure they appear in passive network scans that are run by an attacker. Decoys will also interact with the corporate servers, such as the DNS, DHCP or web server, to increase their authenticity. Network deception can catch attackers attempting to run man-in-the-middle attacks and intercept the traffic of victim assets. Advanced network deception can also include injecting the decoys into the ARP cache of the real assets. This can be done on the network level without interfering with regular user activity.

Step 4: Data Deception

One of the advantages of a flexible deception layer is the power to control the data in it. When deploying decoys, you can control the file system and the shared folders the decoys published. You can control the authentication methods to the decoys and the credentials required to access the different services. You can also control the content of different services, such as the web server. Controlling the web server content allows security teams to create decoys that look like the corporate web servers, or specific IOT devices.

Another interesting part of data deception is integration with the Active Directory server. During the recon phase, advance attackers will try to harvest the corporate AD server for any information on the environment. Creating a layer of deception on your Active Directory Server can help prevent that by creating a fake user who appears to have high privileges, then registering the decoys and its services to AD server as a valid machine with SPNs. To complete the process, the decoys will periodically report login activity by the fake users throughout the day in random times. This ensures the fake entries on the AD server are constantly updated and look real.

To gain the maximum advantage from deception, your deception layer should be part of your network and not stand out. Since each organization has a different environment, it is important to deploy deception elements that will properly identify your terrain and deploy the deception elements that are relevant to it. As your network changes, your deception layer should also adapt itself. Decoys and breadcrumbs should be constantly updated based on any changes to the real network. This includes updating the content of existing decoys, creating additional decoys in newly identified networks and removing decoys in networks that are no longer used. After such changes happen, it is also important to update the breadcrumbs and the network traffic accordingly.

Read the SANS implementing deception technologies guide to learn how to improve detection at every “layer,” and gain insight into active attacks in your environment.

Related Posts

How Machine Learning has impacted Consumer Behaviour and Analysis
Consumer Research

How Machine Learning has impacted Consumer Behaviour and Analysis

January 4, 2024
Market Research The Ultimate Weapon for Business Success
Consumer Research

Market Research: The Ultimate Weapon for Business Success

June 22, 2023
Unveiling the Hidden Power of Market Research A Game Changer
Consumer Research

Unveiling the Hidden Power of Market Research: A Game Changer

June 2, 2023
7 Secrets of Market Research Gurus That Will Blow Your Mind
Consumer Research

7 Secrets of Market Research Gurus That Will Blow Your Mind

May 8, 2023
The Shocking Truth About Market Research Revealed!
Consumer Research

The Shocking Truth About Market Research: Revealed!

April 25, 2023
market research, primary research, secondary research, market research trends, market research news,
Consumer Research

Quantitative vs. Qualitative Research. How to choose the Right Research Method for Your Business Needs

March 14, 2023
Next Post
Trampoline Market 2020-2024 | Growing Penetration of E-commerce to Boost Growth

Research Report with COVID-19 Forecasts-5G Equipment Market 2020-2024 | Adoption Of 5G Networks for Smart Cities to Boost Market Growth

Categories

  • Consumer Research
  • Data Analysis
  • Data Collection
  • Industry Research
  • Latest News
  • Market Insights
  • Marketing Research
  • Survey Research
  • Uncategorized

Recent Posts

  • Ipsos Revolutionizes the Global Market Research Landscape
  • How Machine Learning has impacted Consumer Behaviour and Analysis
  • Market Research: The Ultimate Weapon for Business Success
  • Privacy Policy
  • Terms of Use
  • Antispam
  • DMCA

Copyright © 2024 Globalresearchsyndicate.com

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
No Result
View All Result
  • Latest News
  • Consumer Research
  • Survey Research
  • Marketing Research
  • Industry Research
  • Data Collection
  • More
    • Data Analysis
    • Market Insights

Copyright © 2024 Globalresearchsyndicate.com