HUNT : USING HONEYTOKENS TO UNDERSTAND AND INFLUENCE THE EXECUTION OF AN ATTACK
HUNT : USING HONEYTOKENS TO UNDERSTAND AND INFLUENCE THE EXECUTION OF AN ATTACK
Author(s): Cristian Săndescu, Razvan RUGHINIS, Octavian GRIGORESCUSubject(s): Social Sciences, Education
Published by: Carol I National Defence University Publishing House
Keywords: honeypot; honeytokens; AP; incident response; intrusion detection; web application attacks.
Summary/Abstract: World wide data infrastructure has increased in dimension and complexity due to consolidation, centralization and virtualization trends during the last 10 years. Being able to discriminate quickly between large-scale non-directional attacks and targeted APT (advanced persistent threats) or between script kiddies and experienced hackers is key for protecting critical IT infrastructures. While the first case can be easily handled by existing solutions, the latter raises significant challenges. Implementing honeytokens and honeypots is an extremely efficient intrusion detection system based on setting traps for hackers by deliberately placing enticing resources within existing environments. Previous research has used honeypots to understand hacking TTPs (tactics, techniques and procedures) and to generate more realistic honeytokens. In this paper we build on existing results to quickly categorize attacks, map the attacker persona and focus on targeted attacks. We influence the execution flow by trapping the attackers into a maze with three purposes. The first aim consists in distracting them from the real data and understanding their motivation; this is done by placing low hanging fruits in his path. The second aim refers to getting to know the attackers, gathering forensic evidence and using this information to adapt incident response. The last goal is the most difficult: to completely remove the threat by revealing the attackers' identity, getting in contact, handing them over to law enforcement agencies, or deterring them. We deploy a series of interconnected honeytokens, working together as a whole. Each honeytoken will have an exploitation difficulty in order to map out the attacker's skills and will lead to the next honeytoken, thus forming a real-world hacking scenario. We are also analysing the possibility of deploying dynamic traps based on how the attack develops in real time. From a technical perspective we propose a zero-touch approach for existing environments, by deploying the honeytokens as a service in the cloud, with minimum overhead for the customer.
Journal: Conference proceedings of »eLearning and Software for Education« (eLSE)
- Issue Year: 13/2017
- Issue No: 01
- Page Range: 511-516
- Page Count: 6
- Language: English
