Story image

Javelin Networks: Give up on honeypots, because attackers will outsmart them

31 Jul 2017

It seems that hackers may not be attracted to the taste of honey - or honeypots anymore, and instead pass straight by organisations’ attempts to defend their own networks.

New research from Javelin Networks suggests that cybersecurity platforms including honeypots, honey tokens and honey breadcrumbs are often used to detect attackers who have already infiltrated a network and are well on their way to finding privileged credentials or spread through the domain environment.

Honey tokens, which are honeypots that are not computers, are easily studied and avoided by the average attacker. Javelin Networks says that simple validations can take minutes, allowing attackers to identify objects and avoid traps.

Those validations won’t trigger alarms and don’t require authentication of lateral movement with the help of Red Team tools such as Empire or Bloodhound.

Javelin Networks COO Greg Fitzgerald says that attackers will always be able to detect the traps.

“The truth is that cyber attackers, even with minimal knowledge, will too easily detect distributed deception schemes, and shape their attacks to avoid the honey with even the slightest evidence that the deception is fake. The evidence is just too easy to find and this presents an opportunity to improve defenses, and Javelin is here to help,” he explains.

The company has provided a list of the seven common Active Directory-related honeypots that Red Teamers encounter. The company has also introduced its tool Honeypot Buster, which can detect these traps.

1. Kerberoasting service accounts honey tokens, trick attackers to scan for Domain Users with assigned SPN (Service Principal Name), and with {adminCount = 1} LDAP Attribute flag. Request TGS for that user, you’ll be exposed as Kerberoasting attempt. 

2. Fake memory credentials honey tokens, creating a process using the ‘NetOnly’ flag will result a “cached fake login token”.  Once the attacker tries to steal and use these credentials – he’ll be exposed. 

3. Fake computer accounts honeypots, creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker. 

4. Fake credentials manager credentials breadcrumbs, many deception techniques inject fake credentials into the “Credentials Manager” and said credentials will be revealed using tools such as Mimikatz. Attacker’s might confuse them as authentic credentials and use them although they aren’t real. 

5. Fake domain admins accounts honey tokens, creating several domain admins who have never been active and their credentials should never be used. Luring attackers to try brute-forcing their credentials. Once someone tries to authenticate to this user, alarm will be triggered and the attacker will be revealed. This method is used by Microsoft ATA. 

6. Fake mapped drives breadcrumbs, many malicious automated scripts and worms are spreading via SMB Shares, especially if they are mapped as Network Drive Share. This tool will try to correlate some of the data collected to identify any mapped drive related to specific Honey Pot server. 

7. DNS records manipulation honey pots, one of the methods used by deception vendors to detect usage of fake endpoints, is registering their DNS records towards the Honey Pot Server.

By that they will be able to point the attacker directly to their honey pot instead of actual endpoints.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.