Honeypots, Canaries, and Tripwires — Moving on from outdated deception tools

Imagine cyber security as a constant game of tit-for-tat between defenders and adversaries. Neither side can let the other get too far ahead. If you do, and fall behind in innovation, you risk losing the game.

Knowing this, it’s worrying that we’re still seeing sophisticated adversaries making short work of traditional deception tech like honeypots.

Let’s talk about that.

1. Digital Deception: The Basics

Digital deception encompasses a range of tools and tactics that defenders can leverage to create “enemy interference”. This is achieved by misinforming and misdirecting adversaries, provoking missteps, and collecting targeted counterintelligence. Under ideal circumstances, all of this is done covertly.

Deception tactics are critical. There aren’t many other ways for defenders to adopt a proactive security posture towards opponents, threats, and incoming attacks.

Properly deployed, deception-based security causes significant disruption to malicious campaigns. Adopted across entire systems, it makes it economically unviable for threat actors to attempt certain attacks in the first place.

Let’s look at the tools and methods traditionally used by defenders:

Honeypots & Canaries

Honeypots and canaries commonly refer to digital resources engineered to mimic real target assets. Either type can range from single files to entire systems. The one thing all honeypots and canaries have in common is that we want threat actors to find them, though we don’t want them to realise what they are.

Honeypots and canaries are designed to present adversaries with enticing points of attack — which explains the name “honeypot”. These devices work as both lure and trap at the same time. They can fulfil a number of purposes, depending on how they are deployed and the adversaries they are meant to lure. This includes:

• Informing defenders of attempted intrusions.
• Covertly collecting intelligence on attackers.
• Steering adversaries away from real targets, and potentially along contained rabbit holes.

Honeypots and canaries can hamper attacks or provide critical time and intelligence for security teams to respond. They can also help defenders better understand the attack vectors their adversaries are using, as they can be very different.

Tokens & Tripwires

Tokens and tripwires are generally more simple to set up and maintain than honeypots and canaries. These tools do not directly interfere with attacks. Instead, they are placed within actual target resources to provide definitive alerts for when breaches do occur — ideally without letting adversaries know that they’ve triggered them. They can also collect intelligence on attackers.

There are a few reasons defenders will deploy tokens and tripwires. For one, they are a cheap and simple security measure. Some organisations consider occasional breaches a fact of life, and so opt to place certain intelligence assets behind perimeter defenses. That way, they can at least collect definitive data for when breaches do occur.

Sometimes, attacks are not discovered for weeks and months after the fact. This creates additional damage for the victims. Tokens and tripwires can potentially help to avoid that, though they can’t do much to prevent or hamper incidents in the first place.

2. Shortcomings of Traditional Deception Tools

All deception tools have one thing in common — they are ineffective if they don’t actually deceive anyone. For experienced adversaries, it is worryingly easy to spot and avoid honeypots, canaries, tokens, and tripwires during their reconnaissance and attacks.

Every day, we observe adversaries deploy increasingly sophisticated methods to outwit security teams — at the same time, cheap data and toolsets lower the barrier of entry for complex attacks. Targeted campaigns against enterprises and organisations are increasingly viable and lucrative. In short, the threat landscape has been evolving. Deception technology has not.

While traditional deception tools can still capture low-level threats like automated bots and scanners, they do very little to discourage advanced adversaries, let alone interfere with their campaigns.

Ineffective deception can also create a new set of security risks. Adversaries can abuse obvious traps to send select misinformation back to defenders. Similarly, attackers can leverage security resources to move across defender infrastructure.

None of this is news to anybody, and threat actors have been happily exploiting the vulnerabilities associated with outdated deception methods.

3. The New Standard: Decoys

Let’s jump back to part one of this post — deception tactics are critical. Well-placed decoys provide some of the only means to proactively counteract advanced threats such as targeted attacks, insider compromise, and similar.

So, let’s see how we can improve traditional decoys:

Firstly, let’s make our decoys realistic. Rather than hosting simple dummy resources, we can create highly realistic environments and populate these with appropriate assets.

Then, let’s improve which assets we create decoys of and where we place them. Traditional honeypots are often made to look like high-value resources, sometimes with obvious vulnerabilities. Ironically, this is exactly what tells threat actors not to interact with them. Instead, we can create organic-looking decoy systems of “regular” assets, and place them amongst resources that are likely to be accessed during the reconnaissance phase before an attack.

Now we have another advantage — rather than creating enemy interference during an attack, we can now reliably collect intelligence before an attack is launched. This allows our security teams to suppress adversaries while they are setting up their campaigns, as well as evolving threats.

Next, we want to make sure that our decoys cannot be abused to move against us. We can achieve this by hosting our decoys in contained environments.

Lastly, we can significantly improve the intelligence capabilities of our decoys. We will do this by integrating the data they collect into an existing threat intelligence network. Now we can provide valuable contextual insights for defenders to take advantage of. Additionally, we can use our intelligence network to automatically evaluate the level of threat we are dealing with. That way, we only need to send alerts for high-priority threats, while silently tracking common bots and scanners caught by our traps. This declutters security feeds and allows defenders to move more effectively.

FIRCY’s Sense is the only cyber deception platform that does all of the above.