Deception technology seems to be the latest buzzword. It was everywhere at Black Hat and now my favorite Gartner researchers are covering it.
I talked to the vendors at Black Hat. I can’t figure out what they are offering that I couldn’t give to an intern to deploy over the summer. I worked with an intern over a summer to deploy the basic technology.
My deception environment:
- I reserved random IP space and assigned likely machine names in a couple segments of the network. If administrative cost is a concern for deploying a sensor, null it route it to the local router / switch and log traffic.
- In the server space, I requested standard Linux and Windows systems following the IT standards. Throw standard software on them with default configs. Log the activity.
- I created some honeypot DNS entries. Payroll, Mainframe, etc.
- I had some honeypot accounts created in Active Directory following naming standards. I didn’t request the IT staff log in to some systems, that’s a clear deficiency in my setup. I should have requested the Oracle team create an extra account, the AD admins create an extra account, etc.
I didn’t get any confirmed malicious hits, but did catch some unexpected scanners. Printing services performed an unexpected/unplanned scan of the user environment, a system admin incremented system numbering in to my space, etc.