Martin BollerNov 6, 2022
Christoffer S.

Trying to figure out the general attitude towards Deception/Honeypots as production level ready systems to glean information about attackers?

I'm personally convinced of the value they could bring when deployed appropriately and leveraged intelligently, i.e used to answer specific questions about potential attackers and their methods.

What's your take?

#deception #threatintelligence #honeypots

Nov 6, 2022 at 7:37amWeb
Show threadMartin BollerNov 6, 2022
@cstromblad High fidelity alerts and the best chance of early detection. Combined they're tremendous, say a fileshare with canary documents and/or passwords of canary tokens looking too good for the adversary to not use, and bam! you have 'em.
Show threadChristoffer S.Nov 6, 2022
@martinboller exactly. I'm somewhat confused why more orgs aren't using them? But i guess this kind of fits the narrative of many orgs are still "stuck" in the preventive mindset having not yet made the mental shift of going "assume breach" and by that focussing on detection capabilities.
Show threadMartin BollerNov 6, 2022
@cstromblad You hit the nail on the head with the preventive mindset, methinks. Also many organizations do not have a defensible infrastructure nor any resemblance of architecture so don't really know where/what/when to do deception - While that is true for prevention as well, the product pushers have convincing marketing material and use Gartners "pay-to-play" schemes to position themselves. </rant>😋
Show threadPuggmeisterNov 6, 2022

@cstromblad @martinboller I definitely believe that one of the biggest problems resides in orgs thinking they’re not a target. With that said, something I think have a big impact on the decision making is having the actual infrastructure and capability to handle things like honeypots etc. because there’s no use in deploying these active countermeasures if you don’t have the resources, personnel or competence to know what to do with it.

I think Mikko Hyppönen sums it up pretty good in his latest book when asked why a company spends so much money on security. He responded with something in line with “well your conference room looks really nice and tidy, maybe you can save some money laying off all janitors and cleaners”.
Security is like that insurance you don’t want to pay for because your apartment has never had a water leak or you’ve never been in a car accident.

Show threadDominic WhiteNov 6, 2022
@cstromblad I’m a deception maximalist - so no argument there. But can you elaborate on the specific hypothesis approach you mentioned?
Show threadChristoffer S.Nov 6, 2022

@singe the idea is very much the same as intelligence led Threat Hunting. Hunting without a purpose is really nothing more than expecting to find evil because you want to.

Hypothesis driven hunting should translate equally well to Deception and Threat Intelligence. What question do you want answered? If you made an assumption about where initial access might occur, deception/Honeypots should ideally be placed close to these assumptions.

Hypothesis driven deception I guess you could say.

Show threadMartin BollerNov 6, 2022
@cstromblad @singe
The term "Hypothesis driven deception" is awesome. The hypotheses are even supported by know TTPs, so they are (can be) data driven hypotheses.
Show threadChristoffer S.Nov 6, 2022

@martinboller @singe

That's what I'm thinking. Will be exploring the idea/concept with a few customers to see what to make of it. I'll report back when the time is ripe :-)

Show threadSecrur3_ETNov 6, 2022
@cstromblad I guess orgs are following marketing trends and gimmicks and get too focused on expensive low yield solutions such as awareness training (often not fault of their own). Honeypots, FIDO auth etc implemented correctly are solutions that can change an org's defense strategy solving multiple headaches
Show threadmagnusstubmanNov 6, 2022
@cstromblad externally, sure your points make sense. But I believe the real win is when deploying tripwire tech internally for detection purposes. Massive potential.
Show threadChristoffer S.Nov 6, 2022

@Magnus oh totally, I'm all for internal deployment. Externally it makes sense in certain cases if you have a strong case for eliminating FP and can do focused collection for very specific questions.

But the real value probably comes from deployment "inside" of a network. Question remains how it would play out in a zero trust network model...

Show threadSeth Hanford 🐡Nov 7, 2022

@cstromblad @emmalbriant I personally love them. They are almost always actionable detections like:

* teach your admins that “lemme try to login” is not a great troubleshooting step for unidentified systems
* real baddies doing real baddie things
* scanners you didn’t know you had running internally. Who’s doing that, and why?

And they really help your security team get real experience with network segmentation. If baddies land on X can they reach my honeypot? It puts you into actionable learning mode so often.