frogboy

Level 75
Verified
Trusted
When talking about deception security, most infosec pros’ mind turns to honeypots and decoy systems – additional solutions that companies have to buy, deploy, and manage.

But there are other ways to use deception to thwart attackers, and they do not require additional tools, pricy subscriptions, or the hiring of additional employees.

Free and (nearly) effortless deception security
Dr. Pedram Hayati, a partner in IT security services firm Elttam who has been conducting research in the field of deceptive defense systems for years, has presented some at this year’s edition of BSides Ljubljana.

“Although deception technologies and techniques can be deployed along the entire attack chain, the attacker is most vulnerable to them in the reconnaissance stage,” he told the audience.

During his talk, Dr. Hayati demonstrated on a deceptive defence platform on Azure how a few simple configuration changes can significantly increase the cost of an attack.

He demonstrated two principles of deception security, imported from the real-world and generic enough that can be applied to any environment: the red herring (aka planting of false clues), and flooding the environment with fakes.

An attacker trying on a system will go through a lot of trial and errors, and he will be sending different payloads to the system, and the system will send back a lot of responses. Based on those responses, the attacker will change the direction for the ongoing attack, and the aim is misdirect him by offering false clues or no clues at all, Dr. Hayati noted in regards to the red herring principle.

He illustrated this by changing the configuration of a nginx web server to return random HTTP responses (200 successful, 401 unauthorized access, or 403 forbidden) when probed for particular URLs or subdomains.

Full Article. Deception security doesn't have to be onerous or expensive - Help Net Security