The development trend of deception defense from the perspective of new honeypot technology

As attack and defense exercises become more and more practical and normalized, honeypots have been rejuvenated from a decade-old security technology. Deception defense based on honeypots has also become famous, and more and more security vendors have invested resources in this technology. In the recent honeypot product capability evaluation organized by the China Academy of Information and Communications Technology, as many as 36 mainstream vendors participated. Behind the popularity of honeypot technology is the huge impetus that honeypot technology can effectively make up for the shortcomings of current network security defense solutions. At the same time, the normalization of attack and defense exercises is also one of the biggest catalysts. In past attack and defense exercises, honeypots not only demonstrated excellent trapping and tracing capabilities for attacks, but also reflected their indispensable unique value in daily security operations and maintenance. This may be the real vitality of honeypots.

Based on the research on honeypot technology, combined with the investigation and analysis of open source honeypot projects and commercial deception defense products, this article will start from the introduction of new technologies used in current honeypot products to look at the future development trend of deception defense.

Environmental simulation

Traditional honeypots usually provide "single-dimensional" simulation, simulating specific hosts, services, application environments, etc. The latest honeypots require "multi-dimensional" simulation capabilities. On the basis of the previous ones, the environment simulation configuration and data can be customized in combination with the user's real network or business environment. This provides a simulated trapping environment that is similar to the user's real environment and can effectively confuse attackers. Imagine if a complete virtual environment is deployed before the user's real network, it can not only effectively delay the attacker's attack, but also obtain information such as the attacker's attack method and behavior logic.

Environmental simulation technologies mainly include software simulation technology, container simulation technology, virtual machine simulation technology, etc. The simulation capabilities and supported simulation types of these simulation technologies are shown below:

A brief comparison of several types of simulation technologies is as follows:

Attack induction

The goal of attack induction is to actively lure attackers into a quagmire through technical means after they enter the network, so as to improve the hit rate in a limited simulation environment. Common attack induction technologies include: bait placement, traffic forwarding, virtual IP, etc. In a typical attack and defense exercise scenario, attack induction technology can exchange the initiative and become a weapon for the defender to gain the initiative.

Bait placement

Bait is a variety of false information placed on the Internet or corporate intranet for attackers. A lot of this information is very tempting and can induce attackers to quickly enter a controlled state.

According to the type and purpose, it can be divided into log bait, certificate bait, account bait, email bait, project code bait, etc. The bait includes information such as IP address, user account, service application path, password book, etc. When the attacker obtains the information in the bait, he will generally follow the clues and penetrate deeply into the host, service, and application provided by the bait, and then lure the attacker into the trap. The schematic diagram of bait delivery is as follows:

Traffic forwarding

Traffic forwarding can be used to proactively forward attack traffic that attackers attempt to access normal assets to the simulation environment. Common traffic forwarding implementation technologies include network forwarding and host forwarding.

1. Host forwarding: Generally, it is necessary to deploy probe software on the host. The probe is used to monitor the network ports not used by the customer to simulate the real service. The probe forwards the abnormal connection requests that attempt to access these ports to the simulation environment.

2. Network forwarding: Based on threat clues, abnormal traffic is directly imported into the simulation environment by dynamically adjusting gateway device policies.

The traffic forwarding working diagram is as follows:

Virtual IP

As the name suggests, virtual IP is to bind multiple IP addresses to a single host. By binding IP resources to the honeypot trapping environment in a simulation environment, virtual assets can be generated in batches, thereby improving the coverage of the honeypot and increasing the probability of attackers attacking the honeypot.

The virtual IP working diagram is as follows:

Tracing the source and countering

Traditional IP-based tracing methods have very limited access to attacker identity information, making it difficult to effectively trace and counter attackers in a timely manner. The honeypot system gives defenders the opportunity to counter attackers. Through the preset countermeasures in the honeypot, it actively obtains information about the attacker's host or network to more accurately locate the attacker's identity and achieve more accurate tracing. In a typical attack and defense exercise scenario, the defender only needs to obtain a virtual identity, and an excellent honeypot system can easily accomplish this task.

Commonly used tracing countermeasures include: WEB countermeasures, scanning countermeasures, secret label file countermeasures, etc.

WEB Countermeasures

When an attacker browses a website or web application page, the attacker will download page data and script files, parse and execute them locally, and render and display them. Using this feature, the countermeasure script can be embedded in a normal website or web application page. When the attacker visits, the countermeasure script will also be automatically downloaded to the attacker's local computer to run and obtain traceability information. Web countermeasures are a common countermeasure method. Typical traceability information that can be obtained includes:

1. Obtain the characteristic information of the attacker's host operating system and browser, including the attacker's host operating system type, operating system time zone, screen resolution, browser fingerprint, browser type, browser version, etc.

2. Obtain personal information such as social accounts and the attacker’s mobile phone number that have been used on the attacker’s host through the JSONP vulnerability of the application;

3. Scan the attacker's local port to obtain data such as the attacker's local open ports;

The schematic diagram of WEB countermeasure work is as follows:

Scan Countermeasure

Attackers usually use scanners or attack tools when carrying out attacks. By exploiting the vulnerabilities of the scanned objects, scanners or attack tools, the attacker's identity information can be obtained while the attacker is scanning or attempting an attack.

By presetting some countermeasure modules for specific services and scanning tools in the simulation environment, when the attacker uses such tools to scan or attack, the corresponding countermeasure module will be triggered to read the attacker's device fingerprint and identity information to achieve countermeasure. Currently, some deception defense products have used scanning countermeasure technology. The more commonly used scanning countermeasures include MySQL countermeasure, SQLMap countermeasure, AWVS countermeasure, etc.

The schematic diagram of scanning countermeasure is as follows:

Honey label countermeasure

Honeytag files often use file types or file names that attackers are interested in. Specific data and code are embedded in the file through code bundling and other technologies. By constructing scenarios, attackers are lured to access and download the honeytag files. When the attacker downloads and opens the honeytag file locally, the embedded code is triggered, and the attack host and attacker feature information is recorded and sent back to achieve tracing and countermeasures.

The schematic diagram of the honey mark countermeasure work is as follows:

Using honeymark files to counterattack requires high security capabilities of the defender. Honeymark files need to be created based on the characteristics of the user's business environment. At the same time, honeymark files should be deployed in a location that is easier for attackers to access in order to achieve better results.

Prediction of future deception defense development

Attack and defense exercises have moved towards normalization and actual combat. Although honeypots are not mentioned in attack and defense exercises, they are everywhere. However, this honeypot is not the same as that honeypot. The author prefers to call it "deception defense" or "simulation trapping" technology. The history of using high-interaction honeypots to trace the attacker is gone forever, and the demand for a new generation of deception defense technologies and products that can be integrated with real computing environments will become more and more vigorous. Gartner, a world-renowned IT research and consulting company, evaluated the "deception defense" technology as a security technology that has a profound impact on the existing security protection system. In Gartner's 2020 Security Operations Technology Maturity Curve Report, analysts placed the "deception platform" technology in the "expectation inflation period" and defined the current maturity as "adolescence". It is expected that the technology will reach maturity and be widely used in 5 to 10 years.

Based on the latest analysis of the evolution of honeypot technology and combined with the current development trend of the deception defense industry, the author believes that the deception defense market and product development will have the following trends in the next few years.

Deception defense technology will be more widely used

As a category of active defense, deception defense can play its unique value in many fields. When applied to threat monitoring, it can take advantage of its low false alarms and be used as a regular operation and maintenance monitoring tool. It can also be integrated into other security products as an engine or module to enable other products to provide threat trapping capabilities. When applied to the field of tracing, it can provide accurate tracing of attacks using a variety of countermeasures. At the same time, deception defense can produce high-quality local threat intelligence, which can be linked or integrated with local data such as WAF and FW to improve the active defense capabilities of the entire network. Precisely because deception defense plays an important role in many fields, deception defense technology is bound to be more widely used in the future.

Computing environment simulation integrating network mapping technology

Whether the trapping environment can effectively confuse attackers depends on whether the trapping environment can be simulated realistically enough. A simpler simulation environment is easier to be discovered by attackers and it is difficult to effectively delay the attacker's attack behavior. In order to effectively improve the simulation of the trapping environment, the user network is mapped by integrating network mapping technology, and a trapping network similar to the user's real network is simulated based on the mapping results. At the same time, based on the mapping results, the attack induction strategy is automatically optimized to increase the probability of successful trapping attacks. Creating a trapping network environment that is close to the user's real network, can effectively confuse attackers and actively induce attack behaviors will effectively help improve threat trapping capabilities.

Simulation template industry and business

The simulation basic capability and simulation business capability are loosely coupled. The product provides simulation basic capability support and uses templates to manage and maintain industry-specific and business-specific simulation business capabilities. The simulation templates are generated through automatic system learning or by providing intuitive and simple interfaces to support user customization, and support the sharing of simulation business capabilities through templates. This can greatly improve the flexibility and efficiency of business adaptation when deception defense products are deployed, help improve the fit between products and industry businesses, and help accelerate the application and promotion of deception defense products.

Tracing the source remains one of the key points in the future

Traditional tracing methods have very limited access to the attacker's identity information, and face many difficulties such as inaccurate positioning and difficulty in evidence collection and investigation. Deception defense can provide more accurate tracing methods, which can more accurately locate the attacker's identity and provide the defender with more accurate tracing capabilities. Therefore, tracing capabilities remain one of the future key directions for deception defense products. With the evolution of attack and defense confrontation, the tracing countermeasures adopted also need to be iterated synchronously. At the same time, the countermeasures need to be customized in combination with the characteristics of the user's business environment to achieve better results. Therefore, the investment cost is relatively high, and it is mainly used in large and medium-sized enterprises and institutions and in scenarios with strong demand for tracing.

About Jiwo Technology

Beijing Jiwo Technology Co., Ltd. (www.decoyit.com) was founded in Beijing and is an innovative technology company focusing on the field of deception defense. The core members of the company have many years of management experience and R&D background in domestic first-line security companies, and have rich experience in network security product design, R&D and security attack and defense. The company has independently developed "Open Intelligent Environment Simulation Deception Defense Solution" and "Magic Mirror Intelligent Simulation and Entrapping Defense System", and is committed to changing the current situation of asymmetric network security attack and defense, providing customers with a variety of deception defense products and services, and enhancing customers' active defense capabilities in network security.