You can’t afford to react to security anymore. Instead of waiting until you notice an attack, you need to assume that you are vulnerable and have been attacked. “Assuming violation“As a security principle that says you should act as if all your resources — applications, networks, identities, and services both internal and external — are insecure and compromised, and you just don’t know it.
One way to find out is to use “spoofing technology”: Fool resources in strategic parts of your network with additional monitoring that you can fool attackers into accessing — keeping they don’t enter your real system and make them visible when they sniff around.
Set traps to expose cyber attackers
“Adversaries often start ‘in the dark’ after a successful compromise, unsure of exactly what systems they can gain access to, what they do, and how they are connected to other systems. different parts of an organization. During this reconnaissance phase, the adversary is more likely to reach or probe other services and systems,” Ross Bevington, principal security researcher at the Microsoft Threat Intelligence Center, told TechRepublic.
That’s where deceiving technology like honeypots (infrastructure that looks like a real server or database but doesn’t run the workload directly), honeytokens (a decoy object in the real workload you’re running) and others . interested, but not actually used in any business process, high fidelity detection logic can be built to alert the security team to posting treacherous activity,” says Bevington.
Phishing technology works best when it is difficult to tell from afar the difference between a real system and a fake one, he explains.
Plus, now you know the attacker is there. Because there’s no good reason to access those resources, anyone who tries is clearly unfamiliar with your system. It could be a new hire in need of training (also needing to know something useful), but it could be an attacker.
You can use deception like intrusion detection, like a tripod, or you can intentionally expose it (which Microsoft itself does) “… as a way of gathering threat intelligence about what the enemy might be doing before compromising,” he said.
Either way, the goal of deception technology is to significantly increase costs for attackers while reducing costs for defenders, says Bevington.
Some tricking techniques take more work. “Many customers take steps to customize lures, lures, and traps to the way they work,” Bevington tells us.
But running additional infrastructure takes time and incurs costs. You also have to make it look like a legitimate workload without copying any sensitive information, or the attacker will know it’s fake. And the security team running a honeypot doesn’t always know real-life workloads in the same way that administrators and operations teams do — but so far, software engineering teams haven’t had many. tools to set these types of traps (although the devops’ “left-shift” philosophy means they’re more involved in security).
SEE: Mobile device privacy policy (TechRepublic Premium)
Import crypto tokens: Fake tokens that you plant in your existing workload with a legitimate-looking name that matches your real resources. They’re cheap and easy to deploy, can handle a variety of workloads when you’re running, and they’re low-maintenance. Once they’re established, they can be left on for months or years with no extra effort to maintain them, says Bevington. “Tokens are now being used more often as a low-cost, high-signaling way to fully capture competitors.”
The downside is that you don’t have a deep understanding of who the enemy is or what they’re trying to do when they encounter a password; honeypot gives the security team more information about the attacker.
Bevington points out which one you need depends on your threat model. “Honeypots has the potential to provide defenders with a substantial amount of threat intelligence about who an attacker is and what they want to achieve, but at a higher cost because honeypots require CPU and memory and installed on a computer or virtual machine and requires constant attention to maintain.” Many organizations do not need that additional information and may feel like tokens are sufficient.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
Honeytokens made easy
Microsoft has been using deception techniques for quite some time, because a lot of attackers try to get into Microsoft services and customer accounts (this is part of what Microsoft calls ” sensor network”). “We have seen tremendous value in embedding technology like tokens and honeypots into our internal security posture,” said Bevington. That deceptive data helped Microsoft analysts find new threats against Windows, Linux, and IoT devices. Exposing an open Docker API server found the attackers used the Textile Scope monitoring framework to invade containersand other deception technologies have revealed how IoT is Mozi and Trickbot attack IoT devices.
After discovering the ways that attackers compromise infrastructure, Microsoft can add protections in its Defender services against those specific attacks. It was also provide deceptive data to researchers are looking to automate the processing of that data for detection.
But with the new one Microsoft Sentinel Deception Solution (Honey Token) To plant fake keys and secrets in Azure Key Vault, you don’t need to be a security expert to run phishing technologies. “One of the goals of Sentinel and our recently released Azure Key Vault token preview is to reduce the complexity of deploying these solutions so that any organization interested in technology These are all easily and securely deployed,” said Bevington.
It includes analysis rules for monitoring honeytoken activity (including an attacker trying to disable such monitoring) and a workbook for honeytokens deployment (as well as recommendations in the Security Center). Azure) and investigate honeytoken issues. Honeytokens have names based on your existing keys and secrets, and you can use the same keyword prefixes you use for your real tokens.
Effectively inviting attackers into a vital service like Azure Key Vault might seem a bit counter-intuitive, but you’re really just figuring out if you’ve secured the service correctly using the options as managed identity or not. With tokens masquerading as secrecy and access to credentials, “the keys are such a significant reward for the adversary that they can spend considerable resources trying to gain access to the data.” this,” Bevington pointed out. It’s important to apply basic security hygiene practices and procedures such as MFA and passwordless authentication — and make sure you closely monitor any warnings about your secret tokens or other tools. other scams.
Think of this as another layer of your defense. Besides tricking real attackers into looking for fake resources, you can also see what a real attack would look like, such as simulating denial-of-service attacks on private assets. resources that you protect with Azure services using services such as Red Button or BreakingPoint Cloud. Explore your own system with Red Team tools like Stormspotter tells you what resources in your Azure subscription are exposed, so you know what an attacker will see when they start looking around.
Using what you learn about how attackers behave against phishing techniques to protect your real resources can keep you one step ahead.
