Deception Systems— An Innovative Honeyed Setup to Catch Adversaries

According to Attivo Networks, “Deception gives defenders the ability to learn about attackers in the same way attackers try to learn about their targets. Once an organization knows an attacker is in the network, it can observe the attacker’s behaviors and patterns. This background helps security teams better understand what attackers are after and the best way to respond.”

Deception: Hackers believe decoyed systems as part of the organization with some vulnerabilities and consider them an opportunity to exploit

1. Reconnaissance for Better Decoys Placement

The objective of deception is to convince attackers that a phony(fake) system is the real one. This is accomplished by deploying various sorts of undetectable but exploitable fake systems known as honeypots/decoys that replicate the various services that attackers may be interested in. To expose these services to attackers, it is required to first investigate the business to determine what services it provides to its clients and what flaws may attract more attackers. These services are exposed with the help of decoys that emulate them hence the selection of decoys/honeypots, to be used as part of the deception system, requires a thorough investigation. As part of the analysis, many cybersecurity factors, such as the CIA triad, the value of the assets to the company, their attraction to hackers, the level of harm, the cost, and privacy concerns are examined.

Information about the above-mentioned factors is obtained in a detailed reconnaissance phase and then compiled to know about the top services that could have a significant impact on the firms chosen. This whole process is done to make the deception system work better by deploying the right honeypots to the right people (the hacker community). This lets organizations learn from the unknown attacks of threat actors and protect themselves.

2. Honeypots

A honeypot is a cybersecurity method that employs an artificial attack target to divert cybercriminals from genuine targets. In addition, they collect intelligence concerning the identity, techniques, and goals of attackers. There are several varieties of honeypots that fulfill various functions. In my proposed strategy, I’ve employed three distinct honeypots. First, Dionaea, then Cowrie, then Snare & Tanner as a web honeypot.

3. System Architecture

A controller is used to move requests to respective honeypots based on the results of a geotagging model to catch more and more attackers.

Generally speaking, every system uses a firewall where various rules are written, such as which requests must be allowed and which IP addresses must be blocked. In my proposed approach, honeypots are deployed on a single machine called a “deception unit” and it is placed behind the firewall. So any incoming (or outgoing) traffic is first received by the firewall and, based on a rules decision, it is forwarded to a certain location. Here, the controller works in coordination with the firewall and, based on input, it moves that request to a particular honeypot. Any activity performed inside the honeypots is recorded in the form of logs at a centralized logs server with a separate malware repository that is used to store the malicious payloads dropped by the attackers. The term “geotagging” is used because decisions at firewalls are made based on the origins of the attackers with the highest number of recorded activities in the honeypots. This is done to increase the number of attackers and, ultimately, the raw information about attacks.

4. Increasing Attackers

Obviously, the more attackers who attack the system, the more logs there are, and the more useful intelligence there would be for organizations to make timely decisions to avoid future attacks. In this section, I will be focusing on how we can increase attackers’ dwell time and make them stay longer in the system while they perform more and more malicious attempts. In my proposed approach, I have come up with a new idea of integrating the geotagging approach that works in coordination with uncovering attackers’ collaborative efforts and infers which decoy is mostly targeted by the hackers of a country and at which particular hour of the day. This section is further divided into two subsections, discussed below.

4.1 Collaboration

When two or more attackers work hand in hand to launch an attack, it is called collaboration. In my proposed approach, I have different use cases for finding collaboration among threat actors. One of them is checking if an attacker has not performed any recon, yet his attack was successful even when geotagging changes the decoys from time to time and creates confusion. So, we can assert that some other attacker-2 (maybe similar but using VPN or proxy) has shared intel with attacker-1, and it is a collaboration. The other one is about malicious payloads. Each payload dropped is saved with the name of its MD5 hash and the attacker’s IP address. Usually, attackers use custom-developed payloads unique to them, so if two or more attackers have dropped the same payload, it also becomes a case that they are a single person or working in coordination with each other.

Attacker’s collaboration

4.2 Geotagging

Geotagging is the location-oriented system’s appearance. It changes the system’s appearance from time to time in order to attract more attackers by posing as if this system is unbreachable and they lack the skills to take control of it. After successfully finding out the collaborative efforts among attackers, the model then learns at what time these attackers will try to launch their next attack and what kind of assets are based on their previous records. The model will then automatically determine the best decoys’ opening and shutting times, so attacks become successful. It may look simple that if the attack is allowed, attackers may think of the system as a trap, but this is not the case. Attackers have to first overcome different hurdles that are set to make the system look real as if the system is vulnerable and the attacker’s efforts have paid off well.

The output of the geotagging model

5. Evaluation

This proposed system was running on a well-known organization’s public IP address. The system remained online for several days, and the findings were absolutely astounding as this proposed system performed many times better than a simple system in which geotagging was disabled. This system successfully served the cause as it increased the amount of actionable threat intelligence by catching the attention of an increased number of threat actors.

System Evaluation

In subsequent posts, I will discuss the implementation of the system and the analysis of logs. I believe this post will aid in gaining a new perspective on deceptive systems and spark new thoughts. Your feedback is greatly encouraged, as it will help me improve my writing and my thought abilities.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Azhar Ghafoor

Azhar Ghafoor

Cybersecurity Researcher | Ethical Hacking | Data Analyst