Hi everyone. Now I will try to explain some use case decoys for the network/application side from both an attacker’s and defense perspectives.
Information Gathering / Recon (Technical)
Most attacks starts with gathering pieces of information about target. These informations may be on the network or application sides, for example banners, files, folders, versions, etc.
Example Nmap scan:
The attackers choose a path for compromise target systems with this information. When the attackers found any version or system name, one of the paths is finding any known vulnerabilities in this system. Or another path maybe if applicable, they can find the real system and finding 0day vulnerability into that.
What is Decoy?
In this blog, I mean, everything that can be the decoy. Let me give an example.
On the upper side, you can see a Nmap scan. We find lots of version and system information with this. But can we believe this information? Why don’t these banners fake? This time we will think and use decoys/fake information.
What is Our Goal?
We know hackers’ first attempt at hacking our systems. The main goal is to confuse and save time for us actually. We want to detect attacks earlier without getting any damage from bad guys.
I heard some sounds like this; Okay, dude everything excellent but how we use and implement this, what systems can be useful for us? Let give a short time to me, starting…
How can we use that? (If applicable)
- We can use opensource solutions like portspoof or alternatives (https://github.com/drk1wi/portspoof)
- You can change any information (service, version, etc.) from the application source code
- You can change any information (service, version, etc.) from the network device with config files
- You can change banners of Servers or Services
- You can use honeypots for decoying
Further Reading Links:
- https://idiallo.com/blog/changing-apache-server-signature
- https://www.manageengine.com/network-configuration-manager/configlets/configure-banner-cisco.html
- https://support.kerioconnect.gfi.com/hc/en-us/articles/360015189340-Changing-SMTP-Banners
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_services#sec-Securing_NFS
- https://www.algosec.com/blog/decoy-deception-for-network-protection/
Berk KIRAS – Cyber Security Consultant