When talking about deception security, most infosec pros’ mind turns to honeypots and decoy systems – additional solutions that companies have to buy, deploy, and manage.
But there are other ways to use deception to thwart attackers, and they do not require additional tools, pricy subscriptions, or the hiring of additional employees.
Free and (nearly) effortless deception security
Dr. Pedram Hayati, a partner in IT security services firm Elttam who has been conducting research in the field of deceptive defense systems for years, has presented some at this year’s edition of BSides Ljubljana.
“Although deception technologies and techniques can be deployed along the entire attack chain, the attacker is most vulnerable to them in the reconnaissance stage,” he told the audience.
During his talk, Dr. Hayati demonstrated on a deceptive defence platform on Azure how a few simple configuration changes can significantly increase the cost of an attack.
He demonstrated two principles of deception security, imported from the real-world and generic enough that can be applied to any environment: the red herring (aka planting of false clues), and flooding the environment with fakes.
An attacker trying on a system will go through a lot of trial and errors, and he will be sending different payloads to the system, and the system will send back a lot of responses. Based on those responses, the attacker will change the direction for the ongoing attack, and the aim is misdirect him by offering false clues or no clues at all, Dr. Hayati noted in regards to the red herring principle.
He illustrated this by changing the configuration of a nginx web server to return random HTTP responses (200 successful, 401 unauthorized access, or 403 forbidden) when probed for particular URLs or subdomains.
The second principle involves generating a large number of fakes (open ports, services, etc.) and distributing them in different parts of the environment. The asset that the attacker is after is often rare, so making him sort through a lot of chaff to get at it can delay the progression of the attack considerably.
To show this principle in action, Dr. Hayati first ran a port scan against a test Azure host and showed that an attacker can complete it and discover network services on it in a matter of seconds. He then opened up the first 1024 ports on the test host, configured the firewall to redirect all 1024 ports to a single port on the host, and made it to respond with a null content. Then, he ran a second port scan and service discovery against the same host.
The host responded with a seemingly never-ending list of open ports and valid services to each probe. With this simple change, he increased the duration of the attacker’s service fingerprinting efforts by thirty times. “It would take an average 7 hours for an attacker to finish a basic port scan and service discovery on a single host with this setup,” he noted.
For the actual commands he used and configuration changes he made, you can check out his presentation slides.
Why you should definitely think about it
“Trivial changes from the defender’s side can lead to a massive increase of needed effort and time on the attacker’s side, without affecting usability in any sense,” he concluded, but also made sure to point out that such tweaks present just an additional security layer.
Nevertheless, deception is the most effective way to defend your assets in specific attack scenarios (e.g. the attacker has remote access to an internal host), he noted.
An attempt should be made to force attackers to spend more time and effort to figure out what is real and what is not, and make them repeatedly question whether they should proceed with the attack or not.
For the actual commands he used and configuration changes he made, check out his presentation slides.