Check, Check, Check It Out!
Cyber Deception Resources
By Kaitlyn Wimberley
ADHD
The ADHD Project is a resource that has a collection of deceptive tools divided into the three categories of Annoyance, Attribution, and Attack. This is a great place to start looking at all of the gloriously mischievous things you can do with deception.
Honeypots
These are objects that the attackers are enticed to interact with. They are never touched by legitimate users, so any activity on them is probably malicious and should be investigated immediately. They can be used for detecting attacks that other defenses miss (like a canary in a coal mine), or to gain insight on who is attacking you, and how, and why. You can do this with virtually anything. Honey users, honey tokens, honey ports, honey IOT, honey docs, honey creds, honey ICS, honey networks, honey accounts, honey services, honey databases... the list goes on and on.
Honeyports
This is a very straightforward python script that listens on a port and configures the firewall to block any source IP address that makes a connection to that port.
github.com/gchetrick/honeyports
Portspoof
Portspoof camouflages services running on a system and slows down an attacker’s enumeration of ports and services. It accomplishes this by redirecting any packets received on a TCP port to the port that Portspoof is listening on. This will make it appear that all ports are open to an nmap scan. You can even take it a step further and spoof service signatures on each port. So, the attacker has been slowed down both by making scans take longer and by forcing them to parse through feigned services to find the real ones.
Canary Accounts
Setting up a canary account can take less than five minutes. Do it. It can be as simple as creating a user with a very strong password and strong login restrictions (disable login hours, etc.). If you detect someone trying to log in to this account, it may be a password spray or some other sketchy activity. This is really easy to implement and could even supply some basic actionable monitoring in an environment while working on those fundamentals mentioned earlier. Check out John’s article, Canary Accounts in Active Directory, in PROMPT#’s Better Together issue.
Traps and Tricks
A few more fun ways to mess with attackers.
Spidertrap
Spidertrap tangles up web crawlers into an infinite set of generated web pages. The webpages are generated on the spot and contain links that lead to another page full of links that lead to another page full of links that lead to another page full of links... you get the idea. This continues until either the crawler is stopped, or the script is.
github.com/adhdproject/spidertrap
PHP-HTTP-Tarpit
The tarpit has several ways of dealing with bots and web scanners. There are multiple modes for dealing with requests, or you can just rotate through the modes randomly. The tool can respond to all requests with Success 200 responses filled with loaded random garbage content to trigger false positives. It can redirect all requests back to the source IP to waste time and potentially the attacker’s resources. Or, the namesake Tarpit mode will return status codes like 101 or 104, and steadily send further responses more and more slowly. There are other equally frustrating modes as well.