There is a constant battle in cyberspace between attackers and security professionals. Unfortunately, the reality today is that it is not possible to “catch” all hackers, but by using cyber deception techniques, we can collect useful data for CTIs on the tactics and tools they use. It can also help us improve our threat detection systems and waste additional hackers’ time, as every minute spent on bogus systems/data is a minute lost to critical systems.

What is cyber deception?

It is specially created fictitious data, servers, network structures, databases, users, files, etc. that may appear attractive to hackers and are used as a decoy to distract from the real thing. This approach often helps to detect and react to threats early, as well as to gather intelligence and use it to alert other organisations, for example through the MISP platform. It has a low False-Positive rate, as no one (apart from hackers) has any interest in interacting with the data and knows nothing about it.

Commonly used cyber trap techniques

1. Honeypot

This is a vulnerable system that looks like a real and valuable part of the network, with the aim of tempting hackers, monitoring their actions and gathering information about threats.

2. Honeynet

This is an entire network system made up of several honeypots, which provides a broader environment for attackers to operate in and helps to better expose the techniques and tools used by attackers, for example, when moving between different devices on the network.

3. Decoys

Decoy data is data that appears to be important information, such as personal records, financial data or confidential documents. Such data is fake and not useful, but it only creates the illusion that the attacker has access to real and valuable data.
Decoy accounts are fake accounts that look like normal users but have no real access or authority to perform any real actions. An attacker attempting to exploit these accounts will trigger automated notifications to the security team of their actions, even in the case of a single failed login.

Decoy files are fake files that have no real value and are usually placed in easily accessible locations such as Desktop, Documents, .docx, xlsx file types. They are designed to trick an attacker into believing that they are valuable sources of data, so that they are tempted to encrypt them or move them out of the system.

Grėsmių informacijos rinkimas ir dalijimasis: Decoys ir honeypots leidžia surinkti tikslesnę informaciją apie užpuolikus, jų taktikas ir naudojamus įrankius, gauti kenkėjiškų programų ar laiškų pavyzdžių ir tokiu būdu padėti CTI komandai sukurti labiau personalizuotas grėsmių prognozes. Taip pat susipažinti kokie APT gali į juos taikytis, atnaujinti žvalgybos duomenų bazes ir dalintis šia informacija su kitomis organizacijomis.
Testavimas ir mokymai: Mokymo tikslams galima kurti scenarijus su šiais įrankiais, kad organizacijos darbuotojai galėtų praktikuotis reagavimo į incidentus ir grėsmes įgūdžius. Tai padeda pagerinti reagavimo greitį ir tikslumą realiuose incidentuose.
Atgrasymas: kadangi įsilaužėliai dažnai siekia lengvo ir greito pelno, supratę, kad sąveikauja su honeypots ir decoys, gali būti atbaidyti, suprasdami, kad organizacija yra rimtai investavusi į savo saugumą ir bandys ieškoti lengvesnės aukos.

Benefits of cyber traps

Faster threat detection: decoys and honeypots help the SOC team to quickly identify when attackers are trying to enter the network or have already entered if they are interacting with accounts or files, and to prevent further action.
Fewer False-Positives: Provides fewer false positives because only attackers interact with them.
Automatic response: When an attacker interacts with decoy, certain responses can be automatically executed, such as blocking, sending a warning or isolating the system.
Identification of security vulnerabilities: decoys and honeypots allow an organisation to identify potential security vulnerabilities.
Increasing system resilience: Allows testing and improvement of security systems and response procedures by simulating real attacks, enabling an organisation to assess how effectively their systems are dealing with threats.
Identify new threats: By monitoring attackers through decoys and honeypots, CTI teams can uncover new attacks or attack methods that are not yet well known, including zero-day vulnerabilities.

When collecting honeypot data, it is important to focus on information that allows accurate identification of threats. For example, IP addresses from which attempts to connect to the honeypot server by brute force attacks or to exploit any vulnerabilities in the honeypot are visible, rather than SYN port scans alone, unless they are consistently recurring and very aggressive. To reduce False-Positive signals, known scanners should be filtered out and only active and suspicious activity should be focused on. This allows for more valuable intelligence to be generated.

The MISP platform currently integrates traffic from our honeypot system, which automatically uploads IP addresses related to potential threats. This stream contains 30 266 IP addresses, of which 3 634 correlate with other data sources and often one IP correlates with multiple streams simultaneously. This data provides greater confidence in its reliability and helps to detect the same threats that have already been detected in other networks, as this data is also integrated into SIEM platforms and thus helps to detect these threats for our SOC service customers. Also, the high reliability data could be automatically sent to the firewall blocklist, pre-empting the threat.

Much of this data correlates with foreign data streams, which do not always directly reflect the risks faced by Lithuanian organisations. Sharing relevant IoCs enables us to better understand and manage the threats we face here in Lithuania. This not only helps organisations to protect themselves more effectively, but also strengthens the country’s overall cyber resilience, and we believe that the more Lithuanian organisations that join this project, the more beneficial it would be for everyone involved in this initiative to see correlated data from attacks specifically observed in our country. We invite you to join us in this process.

Cyber deception is an effective method to increase the cyber resilience of organisations. Using deceptive systems such as honeypots and decoys, this technology creates a misleading environment where attackers can “get trapped” and expose their actions, even if they have managed to overcome conventional security measures. Cyber deception enables early identification of cyber intrusions, reduced false alerts, and faster response to threats. In addition, cyber deception benefits both large organisations with sophisticated security systems and smaller companies that want to effectively defend against sophisticated threats even with limited resources.

In summary, cyber traps are a useful defence that can facilitate the fight against cyber criminals by enabling organisations not only to respond to attacks, but also to proactively gather useful information about hackers’ methods, tools and IoCs, which can then be shared with other organisations in order to prevent threats.

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.