Time
24 minutes
Difficulty
Beginner

Video Description

Deception Technology creates an illusion for intruders by showing them something they want, making it easier for you to detect attacker behavior. In this lesson we will learn about four intruder traps that come standard in InsightIDR – Honeypots, Honey Users, Honey Credentials, and Honey Files.

Video Transcription

00:06
Hi, I'm Eric son. In this solution short, let's chat about deception technology and the traps you can set up within inside i. D. R to detect attacker behavior.
00:16
What is deception technology? We think of it as a subset of detection tech that focuses on creating an illusion for Attackers, showing them something. They want to make it easier for you to detect when they're going after it.
00:31
We'll cover four different traps. Honey pots, honey users, honey credentials and honey files. So let's kick things off with honey pots and in here to detect network skins, a common step during attacker reconnaissance.
00:45
So here you can see on this screen that we've set up many, many honey pots here on the rapid seven internal network
00:52
and these air machines that their only purpose is to listen for connections on the network. And so it in traps Attackers who scan or attempt to access these assets.
01:04
Typically with honeypot technology, it's been hard to set up and also difficult to essentially manage
01:11
with inside Audi are. All you need to do is take the honey pot O V a. On place it on your network s o the honeypot virtual machine. You have flexibility insolent on in the D M Z or in the corporate environment.
01:26
You could do whatever as long as it can connect to the inside cloud for communication and has mentioned you can deploy one or many honey pots.
01:37
Let's take a look at the next intruder trap honey users. So here we're now in the Settings Page. And if you head down to honey users, this is where you can add users to the list. And so before tagging it as a honey user, you have to create a dummy account in active directory
01:56
on. The purpose of the honey user is to detect
01:59
vertical brute forcing attacks, someone trying one password fall 2016 against all of your accounts in active directory. And so, of course, it's very difficult to detect as there's failed authentication attempts that happen every day
02:15
on. So by creating this honey user and monitoring authentications there
02:20
that can provide a section mechanism to detect that vertical brute force.
02:24
So all you need to do is add a user to the directory,
02:31
so here will go ahead and add Sara Hernandez and so any authentications to Sarah, her and Hernandez will flag battler, and so you can name your honeys or whatever you want. So, for example, it could be patched admin or any tantalizing name of your choice.
02:51
After honey users. Let's talk a bit about honey credentials and so similar to users. It's a fake credential that we automatically inject onto your end points, and that happens for any asset that you have the insight agent on.
03:06
And so these credentials don't provide access to any any place on your network, so they're there for very safe to use.
03:15
What they do is they provide detection if the credentials have been extracted via something like me counts to find clear text credentials or past the hash. And so, with those fake credentials injected on the end points, if we see any authentications trying to use those credentials again, you'll receive
03:35
a targeted alert.
03:38
The final trap is honey files, and so this is where you can tag a file on an asset of your choice. And if that file is red modified, deleted, you'll receive an alert. And so this provides file level visibility. Where if attacker grabs all the files in the directory, zips it
03:58
it looks to expel. Trait it.
04:00
You'll have that visibility into those actions. And so all you need to do to add a new honey file is select the file path of the selected Honey file and then also select the asset that it's associating with. One thing to note is that you do need to have audit detailed file share, uh,
04:18
enabled on the Windows Server hosting the network.
04:21
And that asset with the honey file doesn't need to have the insight agent. So check out the helpful information that we have here on the right as well as our tool tips. Thio set it up correctly.
04:35
And so let's take a look at some examples of alerts that'll fire as a result of this deception technology. And so here we haven't alert about a honeypot access further down. We have a honey credential privilege escalation attempt,
04:49
and then on the bottom. You have a honey user,
04:53
and so, for any alert that's generated will provide you with the user's involves whatever possible as well as the assets involves. So here, for any allergic to go ahead and click on it to get the full context of the notable behaviors the user's involved and from this investigation
05:12
pain you could bring in
05:14
riel time
05:15
log files, user activity as well as queer your end points in real time. So that's it for deception technology in this solution short.

Up Next