Hi, I’m the resident hacker. These are thoughts from that point of view.
Early Honeypots were not much of a success. This was deception fail, call it Deception 1.0…It was a great idea, good science experiment, but ultimately didn’t stop much…and was not the honeypot that kept the likes of me out of your environment….. OK for a first try in the early days….not so great in the modern era…..
Early Honeypots were not much of a success. This was deception fail, call it Deception 1.0…It was a great idea, good science experiment, but ultimately didn’t stop much…and was not the honeypot that kept the likes of me out of your environment….. OK for a first try in the early days….not so great in the modern era…..
Honeypots are DEAD! Long live Honeypots.
OK, this is going to be a 4-part set of thoughts….
- Honeypots are dead! Long live Honeypots (Part1…Many Targets One Access Point)
- Honeypots are dead! Long live Honeypots (Part2…Landed, Now What?)
- Honeypots are dead! Long live Honeypots (Part3…The Future’s Just Changed)
- Honeypots are dead! Long live Honeypots (Part4…The Crystal Ball)
Some overall thoughts:
You can’t stop us from getting in. Simple truth, and debatable for as long as you like, for every instance you give us of a technology that is “meant to be a barrier” we will give you several ways past that illusionary roadblock.
- You put a firewall in place; we went past those in the 90’s and never looked back.
- You put IDS/IPS in place and we can bypass that.
- You use DLP, but you leave port 80 open for web traffic, or you don’t filter… we can exfiltrate anything.
- You have “deep packet inspection” but we’ve been bypassing that since 2012.
- You have patches…congratulations we have 0Days.
- You have Antivirus…congratulations it’s at best 3-7% effective and half the time is disabled.
- You have endpoint protection, but logs are local and nobody reviews them.
- You have SIEM fully installed…and you have more alerts than a full team of minions can handle.
- You have IoT; we now have an entire landscape of attack vectors that are unmonitored.
- You have built in encryption, but the computer is ON which bypasses it.
- You WOULD have policies, procedures and controls IF you could all agree and not fight.
YOU have to be successful 100% of the time; we only have to get lucky once.
There are obviously a lot more facets to this argument, but overall this is a game of chess and you are missing your queen and your rooks.
We will use the basic building blocks of an attack scenario that is well understood within the Information Security industry as following:
- Initial Reconnaissance (OSINT, SIGINT, HUMINT, Actual Threat Intelligence)
- Initial Compromise (HOW to get into you, what is the trigger?)
- Establish Footholds (Maintaining persistence)
- Escalate Privileges (All your ADMIN accounts belong to us)
- Additional Reconnaissance where we will move laterally and continue to maintain presence
- Complete (Successful exfiltration of your data)
So, at this point we have set our stage, given the initial entry vectors, proved we can get TO that initial system, next blog will go into the how’s and where’s and whats….and obviously what we CAN do to stop this never ending cycle.
Authors
