{"id":115521,"date":"2020-11-19T16:00:49","date_gmt":"2020-11-19T13:00:49","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/turning-the-tables-on-the-hackers-cloudsavvy-it\/"},"modified":"2020-11-19T16:00:49","modified_gmt":"2020-11-19T13:00:49","slug":"turning-the-tables-on-the-hackers-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/turning-the-tables-on-the-hackers-cloudsavvy-it\/","title":{"rendered":"#Turning the Tables on the Hackers \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2897565fd16\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2897565fd16\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/turning-the-tables-on-the-hackers-cloudsavvy-it\/#Deception_Technologies\" >Deception Technologies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/turning-the-tables-on-the-hackers-cloudsavvy-it\/#Decoys_and_Honeypots\" >Decoys and Honeypots<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/turning-the-tables-on-the-hackers-cloudsavvy-it\/#Phantom_Devices_Phantom_Traffic\" >Phantom Devices, Phantom Traffic<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/turning-the-tables-on-the-hackers-cloudsavvy-it\/#Aimed_At_Enterprises\" >Aimed At Enterprises<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Turning the Tables on the Hackers \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure id=\"attachment_8055\" style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-8055 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/77c30441b3cb255e063f378d4111676e\/p\/uploads\/2020\/11\/dc18e294.png\" alt=\"\" width=\"700\" height=\"300\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/charcoal-painted-gold-123948847\" data-credittext=\"Shutterstock\/Barbol\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/charcoal-painted-gold-123948847\">Shutterstock\/Barbol<\/a><\/span><\/figcaption><\/figure>\n<p>It\u2019s time to turn the tables on the threat actors and give them a taste of their own medicine. These defensive platforms use the bad guy\u2019s favorite weapon against them: deception.<\/p>\n<h2 id=\"deception-technologies\"><span class=\"ez-toc-section\" id=\"Deception_Technologies\"><\/span>Deception Technologies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Some cyberattacks happen in a very short time. For example, someone receives a phishing email. They don\u2019t recognize it as a cyberattack. They try to open the malicious attachment. The attachment contains a small <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a>er program that installs itself on their computer. Living up to its name, the downloader retrieves the actual malware from the threat actor\u2019s server and installs it. The downloaded malware may be ransomware, <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Adware\">adware<\/a>, a <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Cryptocurrency#Mining\">cryptojacker<\/a>, <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Remote_desktop_software#RAT\">a remote access trojan<\/a> (RAT), or any other malicious software that will benefit the threat actor at the victim\u2019s expense.<\/p>\n<p>By contrast, cyberattacks that involve\u00a0<em>infiltration<\/em>\u00a0are not quick, automated events. They\u2019re multi-phased processes. The initial infection might be a RAT delivered by a phishing email, but that\u2019s when the threat actors\u2019 work actually begins. The RAT can be used by the threat actor to connect to a compromised network at their will, as many times as they like. It\u2019s their own private backdoor.<\/p>\n<p>At their leisure, they can navigate carefully through your network, observing events, monitoring activity, and figuring out things like where your backups are stored. The end <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/game\/\" data-internallinksmanager029f6b8e52c=\"7\" title=\"Game\" target=\"_blank\" rel=\"noopener\">game<\/a> might still be a ransomware attack. But if the victim organization is sufficiently valuable, it pays for the threat actors to take the time to make sure their malware can access all parts of the network, including the backups. They want the maximum spread of infection.<\/p>\n<p>Perhaps they are not planning a ransomware attack. But whatever their intention, when the threat actors access your network they are strangers in a strange land. They don\u2019t know your network topology, segmentation, server names, backup software, and so on. To obtain that information they need to map out your network by snooping, observing, and doing the work to figure out what\u2019s what. This is called\u00a0<em>moving laterally<\/em>\u00a0through the network. It is done to map the network, as part of privilege escalation, and to find high-value assets and targets.<\/p>\n<p>Deception technologies make that lateral movement difficult, if not impossible. They detect when someone is trying to feel their way through your network, and send alerts to notify staff.<\/p>\n<p>This is how deception technologies operate.<\/p>\n<h2 id=\"decoys-and-honeypots\"><span class=\"ez-toc-section\" id=\"Decoys_and_Honeypots\"><\/span>Decoys and Honeypots<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A deception platform deploys fake network assets that look like real devices to the threat actor as they explore your network. They are convincing decoys that respond as though the threat actor were probing or investigating a real device. But because no one should be interacting with the decoy assets any activity on them is suspicious and likely to be malicious.<\/p>\n<p>You can liken a deception platform to a sort of \u201cmotion detector\u201d for your network. If someone is dabbling in an area they shouldn\u2019t\u2014whether a threat actor or a nosy, snooping employee\u2014they\u2019ll be caught in the act.<\/p>\n<p>One of the advantages of deception platforms is that they detect activity. They don\u2019t need to have a database of malware or other signatures updated, and they can\u2019t be caught out by zero-day threats. They don\u2019t suffer from false positives. If it detects activity on a deception asset, something is going on that you need to look at.<\/p>\n<p>The deception assets may impersonate:<\/p>\n<ul>\n<li>Computers<\/li>\n<li>Printers<\/li>\n<li>File servers<\/li>\n<li>Routers<\/li>\n<li>Switches<\/li>\n<li>Firewalls<\/li>\n<li>Point of sale (POS) equipment<\/li>\n<li>Automated teller machines (ATMs)<\/li>\n<li>Internet of Things (IoT) devices<\/li>\n<li>Industrial sensors and controllers<\/li>\n<\/ul>\n<p>A deception system will allow you to choose what type of deception assets you want to install, but it is usually easier to allow the deception platform to examine your network and auto-populate it with phantom assets of the type commonly found on a network of your type. Some deception platform providers offer a service to create a deception asset to your specification, to mimic a particular type of device that you want to have deployed on your network. That means you can have decoy versions of every type of real device on your network.<\/p>\n<p>Deception systems can create and monitor non-device decoys and honeypots too, such as configuration files, log files, and documents that would be of interest to a threat actor who was trying to understand your network. As soon as one of these decoys is viewed, deleted, or copied an alert is raised.<\/p>\n<p>Subtle clues, known as breadcrumbs, can be left in the network to point to phantom high-value assets. This is done to lead threat actors away from real devices and to steer them towards what appear to be prime targets.<\/p>\n<p>An <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Intrusion_detection_system\">intrusion detection system<\/a> (IDS) tries to detect malicious activity by analyzing network traffic on your actual network. A deception platform tries to steer the malicious activity off your genuine network and into the phantom zone.<\/p>\n<h2 id=\"phantom-devices-phantom-traffic\"><span class=\"ez-toc-section\" id=\"Phantom_Devices_Phantom_Traffic\"><\/span>Phantom Devices, Phantom Traffic<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Surprisingly, the deception assets don\u2019t put any strain on your network, nor flood it with traffic. They\u2019re not actually on your network like a real device until someone tries to interact with them. They\u2019re virtual devices residing within a device farm or deception farm inside a virtualized environment that can be on-premise or in the cloud. The deception system fabricates evidence of the existence of the deception assets on the genuine network.<\/p>\n<p>To make the deception assets look as real as possible, decoy network traffic is created and even fake user activity. As soon as anyone tries to interact with a deception asset it is brought to life in milliseconds\u2014fully spun up in the deception farm\u2014so that it presents real-world responses and actions to the threat actor while alerts are raised to the support staff.<\/p>\n<p>As far as the infiltrator is aware, they are dealing with a genuine server, ATM, medical device, or some other <em>bona fide<\/em> networked device.<\/p>\n<p>Deception assets can be created that actually contain a full operating system. These controlled environments are used to allow the threat actor to carry out their malicious actions while recording and monitoring those actions to better understand their intentions. This information can be used to better prevent their recurrence.<\/p>\n<p>As well as raising alerts, the deception platform may invoke other responses. It can sandbox the deception asset so that any injected threats such as malware are contained. It can quarantine phantom servers, or it may expire the authentication credentials for the account that the threat actor is using.<\/p>\n<h2 id=\"aimed-at-enterprises\"><span class=\"ez-toc-section\" id=\"Aimed_At_Enterprises\"><\/span>Aimed At Enterprises<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Deception platforms sit most comfortably in the enterprise-scale network. Enterprise networks are big enough to require careful mapping by the threat actor, and can most convincingly contain many\u2014even thousands\u2014of phantom devices.\u00a0If a threat actor sees the network of a small business is disproportionally populated with networked devices they may suspect a deception platform is in play. Larger networks naturally camouflage the extra devices.<\/p>\n<p>Threat actors are aware of deception platforms which is why the deception assets must be replicated so accurately and convincingly and must react with seemingly real-world responses.<\/p>\n<p>Of course, you should still do all you can to prevent the threat attacker from gaining access to your network. But if they do manage to get inside, you need to have something that will detect their presence and contain their actions.\u00a0 And if it steers them away from genuine assets and onto phantom assets, so much the better.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/8044\/appearances-can-be-deceptive-turning-the-tables-on-the-hackers\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Turning the Tables on the Hackers \u2013 CloudSavvy IT&#8221; Shutterstock\/Barbol It\u2019s time to turn the tables on the threat actors and give them a taste of their own medicine. These defensive platforms use the bad guy\u2019s favorite weapon against them: deception. Deception Technologies Some cyberattacks happen in a very short time. For example, someone receives&#8230;<\/p>\n","protected":false},"author":1,"featured_media":115522,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/11\/dc18e294.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-115521","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/115521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=115521"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/115521\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/115522"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=115521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=115521"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=115521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}