Shulou(Shulou.com)06/03 Report--

This article mainly explains "how is the development of the new technology of honeypot". The content of the explanation in this article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought. Let's study and learn "how is the development of honeypot new technology"?

With the increasing practice and normalization of attack and defense exercises, honeypots have been coruscated from more than ten years of old security technology, and the deception defense based on honeypots has become famous, and more and more security manufacturers have put resources into this technology field.

Recently, as many as 36 mainstream manufacturers participated in the honeypot product capability evaluation organized by the Information and Communication Institute. Behind the popularity of honeypot technology is the huge thrust that honeypot technology can effectively make up for the shortcomings of the current network security defense plan. at the same time, the normalized attack and defense exercise is also one of the biggest catalysts.

In the past attack and defense exercises, the honeypot not only showed excellent trapping and traceability for attack, but also showed indispensable unique value in the daily security operation and maintenance, which may be the real vitality of the honeypot.

Based on the research of honeypot technology, combined with the investigation and analysis of open source honeypot projects and commercial fraud prevention products, this paper will look at the development trend of fraud defense in the future from the introduction of new technologies used in current honeypot products.

1. Environment simulation

Traditional honeypots usually provide "single-dimensional" simulation to simulate specific hosts, services, application environments, etc., while the latest honeypots need "multi-dimensional" simulation capabilities, on the basis of the previous, you can customize the simulation configuration and data of the environment combined with the user's real network or business environment. Thus, it provides a simulation trapping environment which is similar to the real environment of the user and can effectively confuse the attacker.

Just imagine, if a complete virtual environment is deployed in front of the user's real network, it can not only effectively delay the pace of the attacker's attack, but also obtain the attacker's attack mode and behavior logic and other information.

Environment simulation technology mainly includes software simulation technology, container simulation technology, virtual machine simulation technology and so on. The simulation capabilities and types of supporting simulation provided by several kinds of simulation technologies are as follows:

Several kinds of simulation technologies are briefly compared as follows:

Project\ Category

Software simulation technology

Container simulation technology

Virtual machine simulation technology

Interaction type

Low and medium interaction is dominant.

High interaction

High interaction

advantage

Small resource consumption, simple deployment and efficient operation

Support high interactive simulation for applications and services

Support high interactive simulation of device, host and system-level software

Shortcoming

In order to provide low and medium interaction, it is difficult to achieve high interaction.

Deployment is relatively complex and resource requirements are high.

Complex deployment and high resource requirements

The environment takes a long time to prepare

Application scenario

Simulation of simpler protocols, services, and applications

High interactive simulation of applications, services, etc.

High interactive simulation of equipment, host and operating system

two。 Attack induction

The goal of attack induction is to actively lure the attacker into the quagmire after the attacker enters the network and improve the hit rate in the limited simulation environment. Common attack induction techniques include: bait delivery, traffic forwarding, virtual IP and so on. In typical attack and defense exercise scenarios, attack induction technology can exchange the initiative and become a sharp weapon for the defender to gain the initiative.

2.1. Bait delivery

Bait is a variety of false intelligence left to the attacker on the Internet or the intranet of the enterprise, many of which are very seductive and induce the attacker to enter the controlled state quickly.

According to the type and purpose, it can be divided into log bait, certificate bait, account bait, mail bait, project code bait and so on. The bait includes IP address, user account, service application path, password book and other information. When an attacker obtains the information in the bait, he will generally follow the traps and penetrate deeply along the hosts, services and applications provided by the clues in the bait, thus luring the attacker into a trap. The schematic diagram of bait delivery is as follows:

2.2. Traffic forwarding

Through traffic forwarding, the attack traffic of an attacker trying to access normal assets can be actively forwarded to the simulation environment. Common traffic forwarding technologies include network forwarding and host forwarding.

1. Host forwarding: generally, probe software needs to be deployed on the host. The probe is used to monitor the unused network ports of customers to provide virtual real services. Abnormal connection requests trying to access these ports are forwarded to the simulation environment through the probe.

2. Network forwarding: according to the threat clues, abnormal traffic is directly imported into the simulation environment by dynamically adjusting the gateway device policy.

The schematic diagram of traffic forwarding is as follows:

2.3. Virtual IP

Virtual IP, as its name implies, binds multiple IP addresses to a single host, and generates virtual assets in batches by binding IP resources to the honeypot trap environment in the simulation environment, so as to improve the coverage of honeypots and increase the probability of attackers attacking honeypots.

The working diagram of the virtual IP is as follows:

3. Traceability and countermeasure

The traditional traceability method based on IP is very limited to obtain the identity information of the attacker, so it is difficult to effectively trace and counteract the attacker in time. The honeypot system gives the defender the opportunity to counter the attacker and actively obtain the information of the attacker's host or network through the preset countermeasure in the honeypot to more accurately locate the identity of the attacker and achieve more accurate source tracing. In a typical attack and defense exercise scenario, the defender only needs to obtain a virtual identity, and it is easy for an excellent honeypot system to complete this task.

The commonly used traceability countermeasure techniques include: WEB countermeasure, scan countermeasure, secret document countermeasure and so on.

3.1. WEB countermeasure

When browsing a website or WEB application page, the attacker will download the page data, parse the script file locally, and render the display. Using this feature, the counterscript is embedded into a normal website or WEB application page, and the attacker will automatically download the counterscript to the attacker to run locally to obtain traceability information.

WEB countermeasure is a common countermeasure. Typical traceability information that can be obtained includes:

1. Obtain the characteristic information of the attacker's host operating system and browser, including the attacker's host operating system type, operating system time zone, screen resolution, browser fingerprint, browser type, browser version and so on.

2. Obtain personal information such as social accounts and attackers' mobile phone numbers that have been used on the attacker's host through the JSONP vulnerabilities applied.

3. Scan the attacker's local port to obtain data such as the attacker's local open port.

The schematic diagram of the WEB counteraction is as follows:

3.2. Scanning countermeasure

In most cases, attackers will use scanners or attack tools. Using the loopholes of scanning objects, scanners or attack tools, the attacker can obtain the identity information of the attacker in reverse while the attacker scans or attempts to attack.

By presupposing some countermeasures modules for specific services and scanning tools in the simulation environment, when an attacker uses such tools to scan or attack, the corresponding countermeasures module will be triggered to read the attacker's device fingerprint and identity information to achieve countermeasures. At present, scanning countermeasure technology has been used in some deception defense products, and the more commonly used scanning countermeasure includes MySQL countermeasure, SQLMap countermeasure, AWVS countermeasure and so on.

The schematic diagram of the scan countermeasure is as follows:

3.3. Honey standard countermeasure

The Honeylabel file mostly adopts the file type or file name that the attacker is interested in, embeds specific data and code into the file through the technology of code bundling, and lures the attacker to visit and download the Honeylabel file by constructing the scene. When the attacker downloads and opens the Honeylabel file locally, it will trigger the embedded code, record and return the characteristic information of the attacking host and the attacker to achieve traceability and counteraction.

The schematic diagram of the Honeylabel counter work is as follows:

Using the honeylabel file to counteract the high security requirements of the defender, it is necessary to combine the characteristics of the user's business environment to make the honeylabel file, and deploy the honeylabel file in a location that is easier for attackers to access in order to achieve better results.

4. Prediction of the development of deception defense in the future

Attack and defense exercises have moved towards normalization and actual combat. Although attack and defense exercises do not mention honeypots, they are full of honeypots, but this honeypot is not the honeypot, and the author is more inclined to call it "deception defense" or "simulation entrapment" technology. the history of the traditional use of high-interaction honeypots to trace the source of attackers is gone forever, and the demand for a new generation of deception defense technologies and products that can be integrated with the real computing environment will become more and more exuberant. Gartner, a world-renowned IT research and consulting firm, evaluates that "fraud prevention" technology is a security technology that has a far-reaching impact on the existing security protection system. In the Gartner 2020 Security Operations Technology maturity Curve report, analysts put the "deceptive platform" technology in the "expected expansion period" and defined the current maturity as "adolescence", which is expected to mature and be widely used in 5 to 10 years' time.

Based on the analysis of the latest evolution of honeypot technology, combined with the current development trend of fraud defense industry, the author thinks that there will be the following trends in fraud defense market and product development in the next few years.

4.1. Cheating defense technology will be used more widely.

As a category of active defense, deception defense can play its unique value in many fields. When applied to threat monitoring, making use of its advantage of low false positives, it can be used as a regular operation and maintenance monitoring tool, or it can be integrated into other security products as an engine or module, enabling other products to provide the ability of threat trap. applied to the field of traceability, using a variety of countermeasures, it can provide accurate traceability of attacks. At the same time, deception defense can produce high-quality local threat intelligence, which can be linked or integrated with local such as WAF and FW to improve the active defense capability of the whole network. It is precisely because cheating defense plays an important role in many fields, so deception defense technology is bound to be more widely used in the future.

4.2. Simulation of Computing Environment of Integrated Network surveying and Mapping Technology

Whether the entrapment environment can effectively confuse the attacker depends on whether the entrapment environment can be simulated real enough. The simpler simulation environment is easier to be detected by the attacker, and it is difficult to effectively delay the attack behavior of the attacker. In order to effectively improve the simulation degree of the trapping environment, the user network is mapped by integrating network surveying and mapping technology, and the trapping network similar to the user's real network is simulated based on the results of surveying and mapping. At the same time, based on the results of surveying and mapping, the attack induction strategy is automatically optimized to improve the probability of successful entrapment attack and create a network close to the user's real network. The entrapment network environment, which can effectively confuse the attacker and actively induce the attack behavior, will effectively help to improve the threat trapping ability.

4.3. Commercialization and professionalization of simulation template

The simulation basic capabilities and simulation business capabilities are loosely coupled, the products provide simulation basic capabilities, and templates are used to manage and maintain industrial and operational simulation business capabilities; through system automatic learning, or provide intuitive and simple interfaces to support user customization to generate simulation templates to support the sharing of simulation business capabilities through templates. This can greatly improve the flexibility and efficiency of business adaptation in the deployment of fraud defense products, help to improve the fit between products and industry business, and accelerate the application and promotion of fraud defense products.

4.4. Tracing to the source is still one of the key points in the future.

The traditional tracing method is very limited to obtain the identity information of the attacker, and it is faced with many difficulties, such as inaccurate location, difficult forensics investigation and so on. The use of deception defense can provide more accurate traceability, can more accurately locate the identity of the attacker, and provide more accurate traceability for the defender. Therefore, traceability is still one of the key directions of fraud defense products in the future. With the evolution of the offensive and defensive confrontation, the traceability countermeasure also needs to be iterated synchronously, and the countermeasure needs to be customized according to the characteristics of the user's business environment in order to achieve better results. therefore, the input cost is relatively high. it is mainly used in large and medium-sized enterprises and institutions and scenarios with strong demand for traceability.

Thank you for your reading. the above is the content of "how is the development of the new technology of honeypot". After the study of this article, I believe you have a deeper understanding of the development of the new technology of honeypot. The specific use of the situation also needs to be verified by practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.