Story image

Javelin Networks: Give up on honeypots, because attackers will outsmart them

31 Jul 2017

It seems that hackers may not be attracted to the taste of honey - or honeypots anymore, and instead pass straight by organisations’ attempts to defend their own networks.

New research from Javelin Networks suggests that cybersecurity platforms including honeypots, honey tokens and honey breadcrumbs are often used to detect attackers who have already infiltrated a network and are well on their way to finding privileged credentials or spread through the domain environment.

Honey tokens, which are honeypots that are not computers, are easily studied and avoided by the average attacker. Javelin Networks says that simple validations can take minutes, allowing attackers to identify objects and avoid traps.

Those validations won’t trigger alarms and don’t require authentication of lateral movement with the help of Red Team tools such as Empire or Bloodhound.

Javelin Networks COO Greg Fitzgerald says that attackers will always be able to detect the traps.

“The truth is that cyber attackers, even with minimal knowledge, will too easily detect distributed deception schemes, and shape their attacks to avoid the honey with even the slightest evidence that the deception is fake. The evidence is just too easy to find and this presents an opportunity to improve defenses, and Javelin is here to help,” he explains.

The company has provided a list of the seven common Active Directory-related honeypots that Red Teamers encounter. The company has also introduced its tool Honeypot Buster, which can detect these traps.

1. Kerberoasting service accounts honey tokens, trick attackers to scan for Domain Users with assigned SPN (Service Principal Name), and with {adminCount = 1} LDAP Attribute flag. Request TGS for that user, you’ll be exposed as Kerberoasting attempt. 

2. Fake memory credentials honey tokens, creating a process using the ‘NetOnly’ flag will result a “cached fake login token”.  Once the attacker tries to steal and use these credentials – he’ll be exposed. 

3. Fake computer accounts honeypots, creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker. 

4. Fake credentials manager credentials breadcrumbs, many deception techniques inject fake credentials into the “Credentials Manager” and said credentials will be revealed using tools such as Mimikatz. Attacker’s might confuse them as authentic credentials and use them although they aren’t real. 

5. Fake domain admins accounts honey tokens, creating several domain admins who have never been active and their credentials should never be used. Luring attackers to try brute-forcing their credentials. Once someone tries to authenticate to this user, alarm will be triggered and the attacker will be revealed. This method is used by Microsoft ATA. 

6. Fake mapped drives breadcrumbs, many malicious automated scripts and worms are spreading via SMB Shares, especially if they are mapped as Network Drive Share. This tool will try to correlate some of the data collected to identify any mapped drive related to specific Honey Pot server. 

7. DNS records manipulation honey pots, one of the methods used by deception vendors to detect usage of fake endpoints, is registering their DNS records towards the Honey Pot Server.

By that they will be able to point the attacker directly to their honey pot instead of actual endpoints.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.