You cannot afford to be reactive when it comes to security. Instead of waiting until an attack occurs, you should assume that you are already at risk. Assume breach is a security principle that says you should act as if all your resourcesapplications, networks, identities and services both internal and externalare insecure and have already compromised, and you just dont know it.
You can find out by using deception technologies.
To expose cyberattackers, set up a trap
After a successful compromise, adversaries often begin in the dark, not knowing what systems they have access to, what they do, and how they are connected to other parts of an organization. Ross Bevington, principal security researcher at the Microsoft Threat Intelligence Center, said that adversaries are most likely to probe other services or systems during this recon phase.
This is where it all begins deception technologyHoneypots (infrastructure which looks like a server or database, but isn’t running any live workload), honeytokens and other decoy objects are some examples. Bevington stated that high fidelity detection logic can also be built by presenting itself as systems or services that an attacker is interested in but not being used in any business processes.
He explained that deception technology works best when it’s difficult to tell the difference between a real and fake system.
Plus, you now know who the attacker is. Anyone who attempts to access these resources has no legal reason. It might be a new employee who needs training (also helpful to know), or it might be an attacker.
You can use deception as intrusion detection, like a tripwire, or you can deliberately expose it (which Microsoft itself does) …as a way of collecting threat intelligence on what adversaries may be doing pre-compromise, he said.
Bevington said that the goal of deception technology, regardless of its form, is to increase the cost of the attacker while reducing the cost of the defense.
Some deception techniques are more difficult. Bevington explained that many customers customize their lures, traps, and decoys to suit their working methods.
Running additional infrastructure takes time and costs. The attacker will also notice that the honeypot does not appear to be legitimate. The security team that runs a honeypot may not always know the real-life workloads like admins and operations do. However, software engineering teams haven’t had the tools to create these traps yet (even though they are more involved in security with the shift left philosophy of Devops).
SEE: Policy on mobile device security (TechRepublic Premium)
Honeytokens are fake tokens that you can place in your existing workloads using legitimate names that match your real resources. They are inexpensive and easy to deploy. They can cover as many workloads and they require little maintenance. Bevington states that once they are set up they can be left for months to years without any additional effort. Tokens are being used more often as a low-cost, high-signal way to catch all types of adversaries.
The downside is that it is difficult to get a full understanding of an adversary’s motivations and personality when they trip a honeytoken. However, a honeypot provides security teams with more information about the attacker.
Bevington points out that the type of threat you are facing will determine which honeypots you need. Honeypots are able to provide defenders with significant amounts of threat intelligence regarding who the attackers are and what they want to accomplish. However, honeypots have higher costs as they require CPU and RAM and can be installed on a computer or virtual machine. They also require ongoing maintenance and attention. Many organizations do not require this additional information and may feel that tokens suffice.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Honeytokens made simple
Microsoft has used deception techniques for a long time because so many attackers attempt to access Microsoft services and customer accounts (this part of what Microsoft calls their sensor network). Bevington stated that embedding technology such as honeypots or tokens into our internal security system has been a great benefit. Microsoft analysts have been able find new threats to Windows, Linux and IoT devices using this deception data. Attackers were able to expose an open Docker API Server. To prevent containers from being compromised, Weave Scope was usedIoT is like other deception technologies, according to this report. Mozi Trickbot attack IoT devices.
Microsoft can add protections to its Defender Services for specific attacks after it discovers how attackers compromise infrastructure. It also has been Researchers can access deception dataLooking for automated ways to process that data for detection.
But the new version Microsoft Sentinel Deception – Honey Tokens SolutionYou don’t need to be a security expert in order to use deception technologies. Sentinel’s token preview of Azure Key Vault is designed to make deployment of these solutions simpler so that anyone interested in the technology can deploy it quickly and securely.
It contains analytics rules to monitor honeytoken activity, including an attacker trying to turn that monitoring off), and workbooks for deploying honeytokens. There are also recommendations in Azure Security Center and ways to investigate honeytoken incidents. Honeytokens are named based on your keys and secrets. You can also use the same keyword prefixes that you use for real tokens.
Although it may seem counterintuitive to invite attackers into Azure Key Vault’s service, you are actually just finding out if your service has been properly secured with options like managed identities. Bevington said that honeytokens that appear to be access credentials or secrets are a significant reward for adversaries and can be used to access sensitive data. It’s important to put in place basic security hygiene processes and practices like MFA and passwordless authenticationand to make sure you monitor any alerts for your honeytokens or other deception technologies closely.
Consider this an additional layer in your defenses. You can simulate a real attack by simulating denial-of-service attacks on resources that you have protected with Azure services. Red Button or BreakingPoint cloud. Red Team tools allow you to explore your own systems. Stormspotter This will show you which Azure subscriptions resources are visible so you can see what an attacker might see when they start looking around.
You can stay one step ahead by using what you have learned about attackers’ deception techniques to protect your real assets.