SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Javelin Networks: Give up on honeypots, because attackers will outsmart them
Mon, 31st Jul 2017
FYI, this story is more than a year old

It seems that hackers may not be attracted to the taste of honey - or honeypots anymore, and instead pass straight by organisations' attempts to defend their own networks.

New research from Javelin Networks suggests that cybersecurity platforms including honeypots, honey tokens and honey breadcrumbs are often used to detect attackers who have already infiltrated a network and are well on their way to finding privileged credentials or spread through the domain environment.

Honey tokens, which are honeypots that are not computers, are easily studied and avoided by the average attacker. Javelin Networks says that simple validations can take minutes, allowing attackers to identify objects and avoid traps.

Those validations won't trigger alarms and don't require authentication of lateral movement with the help of Red Team tools such as Empire or Bloodhound.

Javelin Networks COO Greg Fitzgerald says that attackers will always be able to detect the traps.

“The truth is that cyber attackers, even with minimal knowledge, will too easily detect distributed deception schemes, and shape their attacks to avoid the honey with even the slightest evidence that the deception is fake. The evidence is just too easy to find and this presents an opportunity to improve defenses, and Javelin is here to help,” he explains.

The company has provided a list of the seven common Active Directory-related honeypots that Red Teamers encounter. The company has also introduced its tool Honeypot Buster, which can detect these traps.

1. Kerberoasting service accounts honey tokens, trick attackers to scan for Domain Users with assigned SPN (Service Principal Name), and with {adminCount = 1} LDAP Attribute flag. Request TGS for that user, you'll be exposed as Kerberoasting attempt.

2. Fake memory credentials honey tokens, creating a process using the ‘NetOnly' flag will result a “cached fake login token”.  Once the attacker tries to steal and use these credentials – he'll be exposed.

3. Fake computer accounts honeypots, creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.

4. Fake credentials manager credentials breadcrumbs, many deception techniques inject fake credentials into the “Credentials Manager” and said credentials will be revealed using tools such as Mimikatz. Attacker's might confuse them as authentic credentials and use them although they aren't real.

5. Fake domain admins accounts honey tokens, creating several domain admins who have never been active and their credentials should never be used. Luring attackers to try brute-forcing their credentials. Once someone tries to authenticate to this user, alarm will be triggered and the attacker will be revealed. This method is used by Microsoft ATA.

6. Fake mapped drives breadcrumbs, many malicious automated scripts and worms are spreading via SMB Shares, especially if they are mapped as Network Drive Share. This tool will try to correlate some of the data collected to identify any mapped drive related to specific Honey Pot server.

7. DNS records manipulation honey pots, one of the methods used by deception vendors to detect usage of fake endpoints, is registering their DNS records towards the Honey Pot Server.

By that they will be able to point the attacker directly to their honey pot instead of actual endpoints.