欺骗技术 是一个类别 事件检测和响应技术 这有助于安全团队进行检测, analyze, and defend against advanced threats by enticing attackers to interact with false IT assets deployed within your network.
The deception approach can give you high-fidelity alerts around specific malicious behaviors, many of which are challenging to identify by log analysis or a SIEM tool alone. The benefit: You can identify suspicious activity early in an attack chain, as well as confuse and misdirect an adversary on your internal network. This page will give an overview of deception technology and dive into three examples: honeypots、蜂蜜用户和蜂蜜凭证.
Whether you want to picture deception technology as a worm dangling on a fish hook, 一大块切达干酪藏在捕鼠器里, or the notes of an enticing siren song luring sailors to their death, 传达的信息是一样的:欺骗技术是诱饵. By setting irresistible traps that appear to be legitimate IT assets, it entices attackers on your internal network to interact with them, 触发警报,给你的团队时间, insight, 以及他们需要有效回应的环境.
Because no one within your organization needs to interact with deception technology as part of their job, 它记录的任何活动都是自动可疑的. Therefore, a key benefit of deception technology is high-fidelity alerts that identify very specific malicious behaviors.
欺骗技术 can reduce attacker dwell time on your network, 加快检测和补救的平均时间, 减少警觉性疲劳, 并提供重要的信息 妥协指标(ioc) 战术、技术和程序(TTPs).
欺骗技术 can help detect the following types of threats:
For a 欺骗技术解决方案 要有效率, it has to appear legitimate enough to trick a sophisticated attacker, while neatly folding into your existing threat detection strategy. Ideally, 这种欺骗技术很容易部署, 根据需要自动更新, 并且可以将生成的警报直接发送到你的 安全信息和事件管理(SIEM) platform.
Here are a few specific examples of deception technology:
Honeypots are decoy systems or servers that are deployed alongside production systems within your network. They can look like any other machine on the network or be deployed to look like something an attacker could target. 蜜罐有许多应用程序和用例, as they work to divert malicious traffic away from important systems, 识别异常网络扫描, 并揭露攻击者及其手段的信息.
就目标而言,有两种类型的蜜罐. Research honeypots gather information about attacks and are used specifically for studying malicious behavior out in the wild. 看看你的环境和更广阔的世界, 他们收集有关攻击者趋势的信息, 恶意软件菌株, and vulnerabilities that are actively being targeted by adversaries. This can inform your preventive defenses, patch prioritization, and future investments.
生产“粘蜜罐”, 部署在您的网络上, help reveal internal compromise across your environment and gives your team more time to respond. 信息收集仍然是一个优先事项, as honeypots give you additional monitoring opportunities and fill in common detection gaps around identifying network scans and lateral movement.
简单、低维护, honeypots help you break an attack chain and slow adversaries down with high-fidelity alerts and contextual information. 想了解更多关于蜜罐的知识? 查看我们的网页 蜜罐技术.
蜂蜜用户是假的用户账号, 通常部署在活动目录中, that detect and alert on password-guessing attempts from malicious actors. Once an attacker has internal access to your network, they’ll likely try a vertical 蛮力攻击.
This consists of querying Active Directory to enumerate employee accounts and trying a small number of commonly used passwords across those accounts. By defining and monitoring a honey user—an account with no business purposes—you can easily identify this stealthy password guessing technique.
Attackers will be more likely to go after accounts with a juicy (yet believable) description, so naming it “PatchAdmin” or something similar can help bait them into interacting with it. It’s important to note that this dummy user account should not be associated with a real person within your organization and should never be used for any valid authentication.
一旦攻击者危及端点, they will typically harvest passwords from the asset and try them elsewhere to access other resources on your network. Honey credentials help combat this technique by serving as fake credentials injected onto the endpoint. If authentication is attempted with the honey credential, an alert is generated.
Regardless of whether a user attempts to log in to an asset with a honey credential or is attempting to use the honey credential to pivot to another endpoint, these credentials don’t actually grant access to any systems, 所以使用起来非常安全.
Honey credentials also show a clear trail of an intruder moving laterally across your network—think of it like banks placing exploding dye packs in money bags to mark the money and identify it later.
Using deception technology alongside other security measures will help bolster your defenses and help you detect compromise early. 任何类型的欺骗技术都会有所帮助, using the right types to shore up your existing detection gaps will result in the most effective defense-in-depth approach.