With the increasingly practical and normalized offensive and defensive exercises, honeypots have been rejuvenated from more than ten years of old security technology, and the deception defense based on the evolution of honeypots has also become famous. More and more security vendors have put resources into into this technical field. In the recent honeypot product capability evaluation organized by CAICT, as many as 36 mainstream manufacturers participated. Behind the popularity of honeypot technology is the huge thrust that honeypot technology can effectively make up for the shortcomings of current network security defense solutions. At the same time, the normalized offensive and defensive exercises are also one of the biggest catalysts. In the past offensive and defensive exercises, honeypots not only demonstrated excellent trapping and traceability capabilities for attacks, but also showed an indispensable and unique value in daily security operation and maintenance, which may be the true vitality of honeypots.
Based on the research on honeypot technology, combined with the research and analysis of open source honeypot projects and commercial deception defense products, this article will start from the introduction of new technologies used in current honeypot products to see the future development trend of deception defense.
environment simulation
Traditional honeypots usually provide "single-dimensional" simulation, simulating specific hosts, services, application environments, etc.; while the latest honeypots require "multi-dimensional" simulation capabilities. Real network or business environment to customize environment simulation configuration and data. Thus, a simulated trapping environment that is close to the user's real environment and can effectively confuse the attacker is provided. Just imagine, if a complete virtual environment is deployed before the user's real network, it can not only effectively delay the attacker's attack, but also obtain information such as the attacker's attack method and behavior logic.
Environment simulation technology mainly includes software simulation technology, container simulation technology, virtual machine simulation technology, etc. The simulation capabilities provided by several types of simulation technologies and the types of supported simulations are shown as follows:
A brief comparison of several types of simulation technologies is as follows:
| Item category |
Software Simulation Technology |
Container Simulation Technology |
Virtual Machine Simulation Technology |
| type of interaction |
Low to medium interaction |
high interaction |
high interaction |
| Advantage |
Small resource footprint, simple deployment, and efficient operation |
Support high interactive simulation of applications and services |
Support device, host, system-level software high interactive simulation |
| shortcoming |
Mainly to provide low and medium interaction, it is difficult to achieve high interaction |
Relatively complex deployment and high resource requirements |
Complex deployment, high resource requirements, Environmental preparation time is long |
| Application scenarios |
Emulation of simpler protocols, services, applications |
Highly interactive simulation of applications, services, etc. |
Highly interactive emulation of devices, hosts, operating systems |
attack induction
The goal of attack induction is to actively lure the attacker into the quagmire after the attacker enters the network through technical means, so as to improve the hit rate in a limited simulation environment. Common attack induction techniques include: decoy placement, traffic forwarding, virtual IP, etc. In a typical attack and defense exercise scenario, the attack induction technology can exchange the initiative and become a powerful tool for the defender to gain the initiative.
2.1. Bait placement
Decoys are all kinds of false information left to attackers on the Internet or corporate intranets. Many of the information is very tempting and induces attackers to quickly enter a state of being charged.
According to different types and uses, it can be divided into log bait, certificate bait, account bait, email bait, project code bait, etc. The bait includes information such as IP address, user account, service application path, password book, etc. After the attacker obtains the information in the bait, he will generally follow the clues and penetrate deeply along the hosts, services, and applications provided by the clues in the bait, and then attack the attack. lured into a trap. The schematic diagram of the bait placement work is as follows:
2.2. Traffic forwarding
Through traffic forwarding, the attack traffic that attackers try to access normal assets can be actively forwarded to the simulation environment. Common traffic forwarding implementation techniques include network forwarding and host forwarding.
1. Host forwarding: Generally, probe software needs to be deployed on the host. The probe is used to monitor the unused network ports of the customer to virtualize the real service, and the abnormal connection request that tries to access these ports is forwarded to the simulation environment through the probe;
2. Network forwarding: Directly import abnormal traffic into the simulation environment by dynamically adjusting gateway device policies according to threat clues.
The schematic diagram of traffic forwarding is as follows:
2.3. Virtual IP
Virtual IP, as the name implies, binds multiple IP addresses to a single host, and generates virtual assets in batches by binding IP resources to the honeypot trapping environment in the simulation environment, improving the coverage of the honeypot and increasing the chances of attackers attacking the honeypot. probability.
The working diagram of virtual IP is as follows:
traceability
The traditional IP-based source tracing method has very limited access to the attacker's identity information, and it is difficult to effectively trace and counteract the attacker in time. The honeypot system gives the defender the opportunity to counter the attacker. Through the preset countermeasures in the honeypot, it actively obtains the information of the attacker's host or network to more accurately locate the attacker's identity and achieve more accurate traceability. In a typical attack-defense exercise scenario, the defender only needs to obtain a virtual identity. An excellent honeypot system can accomplish this task easily.
Commonly used traceability countermeasures include: WEB countermeasures, scan countermeasures, and encrypted file countermeasures.
3.1. WEB countermeasures
When an attacker browses a website or WEB application page, the page data and script files will be downloaded and parsed, executed, rendered and displayed locally by the user. Using this feature, the countermeasure script is embedded into the normal website or WEB application page, and the attacker will also automatically download the countermeasure script to the attacker to run locally to obtain traceability information when accessing. WEB countermeasures are more commonly used countermeasures. Typical traceability information that can be obtained includes:
1. Obtain the feature information of the attacker's host operating system and browser, including the attacker's host's operating system type, operating system time zone, screen resolution, browser fingerprint, browser type, browser version and other information;
2. Obtain personal information such as social accounts, attacker mobile phone numbers, etc. that have been used on the attacker's host through the JSONP vulnerability of the application;
3. Scan the attacker's local port to obtain data such as the attacker's local open port;
The schematic diagram of the WEB countermeasure is as follows:
3.2. Scanning countermeasures
Attackers use scanners or attack tools in most cases when they carry out attacks. By exploiting the vulnerabilities of scan objects, scanners, or attack tools, the attacker can obtain the identity information of the attacker in reverse while scanning or attempting to attack.
By presetting some countermeasure modules for specific services and scanning tools in the simulation environment, when an attacker uses such tools to scan or attack, the corresponding countermeasure modules will be triggered to read the fingerprint and identity information of the attacker's device. counter. Scanning countermeasures have been used in some current deception defense products. Commonly used scanning countermeasures include MySQL countermeasures, SQLMap countermeasures, and AWVS countermeasures.
The schematic diagram of the scanning countermeasure is as follows:
3.3. Honey token countermeasures
Honeymark files mostly use the file type or file name that the attacker is interested in, embed specific data and codes into the file through code bundling and other technologies, and induce the attacker to access and download the honeymark file by constructing scenarios. When the honey token file is opened locally, the embedded code will be triggered to record and return the attack host and attacker feature information to achieve source traceability and countermeasures.
The schematic diagram of the honey token countermeasure is as follows:
The use of honey-mark files to counteract requires higher security capabilities of the defender. It is necessary to create honey-mark files according to the characteristics of the user's business environment, and at the same time, deploy the honey-mark files in a location that is easier for attackers to access to achieve better results.
Prediction of future deception defense development
Offensive and defensive exercises have moved towards normalization and actual combat. Although the offensive and defensive exercises do not mention honeypots, there are honeypots everywhere, but this honeypot is not another honeypot. The author prefers to call it "deception defense" or "simulated trapping". Technology, the traditional history of using high-interaction honeypots to trace the source of attackers is gone forever, and the demand for a new generation of complex deception defense technologies and products that can be integrated with the real computing environment will become more and more strong. The world-renowned IT research and consulting firm Gartner evaluates the "deception defense" technology as a security technology that has a profound impact on the existing security protection system. In Gartner's 2020 Hype Cycle for Security Operations Technology, analysts put the technology of "deception platform" in a "expectation inflation period" and defined the current maturity as "adolescence", which is expected to reach 5 It reaches maturity and is widely used after 10 years.
Based on the latest honeypot technology evolution analysis, combined with the current development trend of the deception defense industry, the author believes that the deception defense market and product development will have the following trends in the next few years.
4.1. Deception defense technology will be more widely used
As a category of active defense, deception defense can play its unique value in many fields. Applied to threat monitoring, taking advantage of its low false positives, it can be used as a normal operation and maintenance monitoring tool, or it can be integrated into other security products as an engine or module, enabling other products to provide threat trapping capabilities; application In the field of traceability, a variety of countermeasures can be used to provide accurate traceability of attacks; at the same time, deception defense can produce high-quality local threat intelligence, which can be linked or integrated with local ones such as WAF and FW to improve overall security. Network active defense capability. Precisely because deception defense plays an important role in many fields, deception defense technology is bound to be more widely used in the future.
4.2. Computational environment simulation of ensemble network mapping technology
Whether the trapping environment can effectively confuse the attacker depends on whether the trapping environment can be simulated enough. A simpler simulation environment is easier for attackers to see through, and it is difficult to effectively delay the attacker's attack behavior. In order to effectively improve the simulation degree of the trapping environment, the user network is surveyed and mapped by integrating network surveying and mapping technology, and the trapping network similar to the user's real network is simulated based on the surveying and mapping results. Improve the probability of successful trapping attacks and create a trapping network environment that is close to the user's real network, which can effectively confuse attackers and actively induce attack behaviors, which will effectively help improve the ability to trap threats.
4.3. Industrialization and businessization of simulation templates
Loosely couple simulation basic capabilities and simulation business capabilities, the product provides support for basic simulation capabilities, and uses templates to manage and maintain industrialized and business-oriented simulation business capabilities; automatically learn through the system, or provide intuitive and simple interfaces to support user customization and other methods to generate simulation templates, and support the sharing of simulation business capabilities through templates. This can greatly improve the flexibility and efficiency of business adaptation when deception defense products are deployed, help improve the fit between products and industry services, and help accelerate the application and promotion of deception defense products.
4.4. Traceability is still one of the future priorities
Traditional traceability methods have very limited access to the identity information of the attacker, and face many difficulties such as inaccurate positioning and difficult forensic investigation. The use of deception defense can provide more accurate traceability methods, can more accurately locate the identity of the attacker, and provide the defender with more accurate traceability capabilities. Therefore, traceability is still one of the key directions for deception defense products in the future. With the evolution of offensive and defensive confrontation, the traceability and countermeasures adopted also need to be iterated synchronously. At the same time, the countermeasures need to be customized according to the characteristics of the user's business environment to achieve better results. Therefore, the investment cost is relatively high, and it is mainly used in It is used in large and medium-sized enterprises and institutions and in scenarios with strong demand for traceability.
About Jiwo Technology
Beijing Decoyit Technology Co., Ltd. (www.decoyit.com), founded in Beijing, is an innovative technology enterprise focusing on deception defense. The core members of the company have many years of management experience and research and development background in domestic first-line security companies, and have rich experience in network security product design, research and development, and security attack and defense. The company has independently developed "open intelligent environment simulation deception defense solution" and " magic mirror intelligent simulation and trapping defense system", committed to changing the current situation of network security asymmetric attack and defense, to provide customers with a variety of deception defense products and services , to enhance the active defense capability of customer network security.