Understanding your enemy is the first step to defeating them; a sentiment often touted by generals and commanders on the battlefield, but just as applicable to cybersecurity.
Comprehending how cybercriminals operate, the techniques they use and the weapons available to them enables organizations to better defend themselves. At the same time, this information affords them a more accurate picture of the threat landscape before them, ensuring they can prepare for the latest generation of attacks to come.
To acquire this information, organizations need to convince the enemy to reveal its hand by prompting them to attack something that appears to be of value but isn’t: a smoke and mirrors tactic.
A game of cat and mouse
When a new server appears on the internet, it’s usually only a few minutes before it’s probed to find out who the new kid on the block is. While some of this is carried out by security professionals at legitimate organizations, there are those on the darker side of the web looking at how the new server can be exploited.
The attackers will be looking at what applications the server hosts, have they been patched and whether there are any known vulnerabilities which can be exploited to gain access and control. All of this activity leaves a digital footprint that reveals the tools and techniques the attacker used. Setting up a purpose-built system to be attacked gives an organization the ability to capture this information about the attack, without actually being attacked. This is known as a ‘honeypot’ and is a key tactic in the cyber-defenders arsenal.
- Mimic the real thing
The key to a successful honeypot is to make it look like a legitimate system. It will need internal systems, with applications and file directories, linked to external elements such as a firewall, all of which create the effect of looking like an ‘organization’. There should also be ‘users’ and ‘traffic’ being simulated on the server so that someone scanning it from the outside believes that it’s real. However, those carrying out the probing/attacks are well aware of honeypots and will be on the lookout for tell-tale signs that give the system away as a fake. If this happens, they’ll back off quietly and you lose the advantage over them. As with any real system, it needs to be maintained; seeing a 3-year-old unpatched vulnerability in the operating system will raise some eyebrows. It’s a game of cat and mouse being played remotely across the globe.
- Deploy monitoring tools
The aim of a honeypot is to capture any successful intrusions, which take place in order to a build a picture of the approaches and techniques made by the attacker. This is best achieved by monitoring tools, which can analyze the attacker’s behavior. Any monitoring tools above and beyond what might be installed on a real system need to be covert, something often achieved by running a virtual machine. Monitoring tools should also monitor the system itself, to ensure the server is not commandeered and for example, starts sending spam attacks or acts as a command & control server. If this happens, it will need to be shut down immediately to prevent further damage.
- Use the intelligence gathered
Once the attack is over, you can conduct a digital forensics examination to work out where the attacks have come from and who might be the perpetrator/perpetrators. Assessing the aftermath will give clues as to what kind of attack it was, who carried it out, whether a well-known exploit was used or a new variant not seen before. Much of the information gathered then needs to find its way back to the business so that intelligence feeds for the current security systems can pick up future attacks. This could be IP addresses to block if they’re part of a botnet or command and control network, or a new virus signature or phishing scam.