sb-nz logo
Story image

Javelin Networks: Give up on honeypots, because attackers will outsmart them

31 Jul 2017

It seems that hackers may not be attracted to the taste of honey - or honeypots anymore, and instead pass straight by organisations’ attempts to defend their own networks.

New research from Javelin Networks suggests that cybersecurity platforms including honeypots, honey tokens and honey breadcrumbs are often used to detect attackers who have already infiltrated a network and are well on their way to finding privileged credentials or spread through the domain environment.

Honey tokens, which are honeypots that are not computers, are easily studied and avoided by the average attacker. Javelin Networks says that simple validations can take minutes, allowing attackers to identify objects and avoid traps.

Those validations won’t trigger alarms and don’t require authentication of lateral movement with the help of Red Team tools such as Empire or Bloodhound.

Javelin Networks COO Greg Fitzgerald says that attackers will always be able to detect the traps.

“The truth is that cyber attackers, even with minimal knowledge, will too easily detect distributed deception schemes, and shape their attacks to avoid the honey with even the slightest evidence that the deception is fake. The evidence is just too easy to find and this presents an opportunity to improve defenses, and Javelin is here to help,” he explains.

The company has provided a list of the seven common Active Directory-related honeypots that Red Teamers encounter. The company has also introduced its tool Honeypot Buster, which can detect these traps.

1. Kerberoasting service accounts honey tokens, trick attackers to scan for Domain Users with assigned SPN (Service Principal Name), and with {adminCount = 1} LDAP Attribute flag. Request TGS for that user, you’ll be exposed as Kerberoasting attempt. 

2. Fake memory credentials honey tokens, creating a process using the ‘NetOnly’ flag will result a “cached fake login token”.  Once the attacker tries to steal and use these credentials – he’ll be exposed. 

3. Fake computer accounts honeypots, creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker. 

4. Fake credentials manager credentials breadcrumbs, many deception techniques inject fake credentials into the “Credentials Manager” and said credentials will be revealed using tools such as Mimikatz. Attacker’s might confuse them as authentic credentials and use them although they aren’t real. 

5. Fake domain admins accounts honey tokens, creating several domain admins who have never been active and their credentials should never be used. Luring attackers to try brute-forcing their credentials. Once someone tries to authenticate to this user, alarm will be triggered and the attacker will be revealed. This method is used by Microsoft ATA. 

6. Fake mapped drives breadcrumbs, many malicious automated scripts and worms are spreading via SMB Shares, especially if they are mapped as Network Drive Share. This tool will try to correlate some of the data collected to identify any mapped drive related to specific Honey Pot server. 

7. DNS records manipulation honey pots, one of the methods used by deception vendors to detect usage of fake endpoints, is registering their DNS records towards the Honey Pot Server.

By that they will be able to point the attacker directly to their honey pot instead of actual endpoints.

Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More
Story image
Report reveals relationship between boardroom and cybersecurity investments
“While boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value."More
Story image
Juniper Networks expands security offering for remote working
Juniper Networks has launched new solutions to enhance work from home security.More
Story image
Lumen launches managed security services for APAC market
The new service is designed to provide enterprise businesses with a proactive, connected security strategy to enhance threat detection and protection across endpoints. More