Organizations are prioritizing the security of user and machine identities, as well as identity infrastructure such as Microsoft Active Directory, as adversaries increasingly adopt identity-based techniques in their attacks. Today’s security teams rely on a range of different tools to keep up with this shift — and some of their strategies are more effective than others.
Deception technology has become one such tool that aims to mislead and reveal adversaries by tempting them with fake resources in a business environment. Honeypots are the original form of deception technology. Once an adversary enters the honeypot, it’s simple to detect them because legitimate traffic would not enter the honeypot.
On the surface, deception technology seems like an effective way for organizations to lure and deceive adversaries, protect their data and gain intelligence on potentially malicious activity. But upon looking closely, there are severe weaknesses that security teams may not initially consider when solely relying on legacy deception technology as a form of defense.
The downside of deception technology
Deception technology relies on an adversary’s limited knowledge of the true target environment. These tools are developed based on the idea that adversaries are unaware of the full network topology and thus have to make decisions on where to go — and what to attack — with little understanding. Unfortunately for security teams, savvy adversaries can turn the tables on their victims and use this technology to their advantage.
According to our recent research, the average breakout time for an attacker to move laterally from initial compromise to another host within the victim’s environment takes just 84 minutes. This indicates that adversaries continue to remain sophisticated and may have more knowledge of a network than most security pros think. It’s possible for an adversary to easily identify decoy assets and use them to generate fraudulent alerts and distract security teams while a real infiltration happens elsewhere.
Another limitation: the risk of lateral movement caused by poorly designed systems. In addition to standing up a system that looks legitimate enough to attract adversaries, companies also need to secure it. They simply can’t stand up a fully-secured honeypot system overnight. It requires time and effort to accommodate the design complexities and ensure the system cannot serve as a launching point for intruders to access other systems.
Finally, the costs of honeypots can add up. It’s expensive to build and maintain a separate network with fake computers and resources. Support costs can increase too, as deception technology still requires skilled staff to monitor and maintain it.
How to detect, divert, and disarm adversaries
Companies can try to lure adversaries by deliberately presenting them with accounts flagged as honeytokens, which alert organizations to potential attacks. It’s not a full system, but rather legitimate data or accounts with code embedded that triggers an alert if unusual activities, such as access from an unknown user gets detected. These alerts let security teams quickly identify an adversary’s attack path and allow for granular protection policies to block honeytoken account activities and lateral movement in real time.
Honeytokens offer legitimacy, security and ease of implementation compared to honeypots. Because honeytokens are legitimate data and accounts, hackers are unlikely to issue fraudulent alerts and will continue with their activities, not knowing they have been identified and tracked by security teams. Teams will already know that it’s a legitimate attack, which lets them quickly address these threats instead of spending time confirming if it’s real attack or not. Also, with honeytokens, teams do not have to stand up entire systems, thus saving them time and resources.
Honeytokens also give security teams peace of mind. By giving security teams unique policy support, such as triggering multi-factor authentication, organizations can put tight security controls on honeytoken accounts and eliminate the risk of adversaries moving laterally within the network.
Stay proactive against identity-based threats
Identity threat detection and response (ITDR) has become an essential part of defending against modern threat and security teams can make it even more effective when adding honeytokens as part of a comprehensive identity protection strategy. It’s especially critical because it’s difficult to detect the use of compromised credentials, which lets adversaries bypass traditional security measures unnoticed.
Deception technology has not proven itself an effective security solution for organizations. Instead, organizations should consider more comprehensive identity protection for real-time detection, visibility and prevention capabilities to defend against identity-based attacks. By providing continuous visibility and integration with Active Directory as well as multiple identity and access management (IAM) products, a risk-based identity protection solution that uses a more effective and safer way to trap adversaries can bring a comprehensive level of monitoring and threat detection for organizations.
Kapil Raina, identity protection evangelist, CrowdStrike
