Hi everyone. Now I will try to explain some use case decoys for the network/application side from both an attacker’s and defense perspectives.
Information Gathering / Recon (Technical)
Most attacks starts with gathering pieces of information about target. These informations may be on the network or application sides, for example banners, files, folders, versions, etc.
Example Nmap scan:
The attackers choose a path for compromise target systems with this information. When the attackers found any version or system name, one of the paths is finding any known vulnerabilities in this system. Or another path maybe if applicable, they can find the real system and finding 0day vulnerability into that.
What is Decoy?
In this blog, I mean, everything that can be the decoy. Let me give an example.
On the upper side, you can see a Nmap scan. We find lots of version and system information with this. But can we believe this information? Why don’t these banners fake? This time we will think and use decoys/fake information.
What is Our Goal?
We know hackers’ first attempt at hacking our systems. The main goal is to confuse and save time for us actually. We want to detect attacks earlier without getting any damage from bad guys.
I heard some sounds like this; Okay, dude everything excellent but how we use and implement this, what systems can be useful for us? Let give a short time to me, starting…
How can we use that? (If applicable)
- We can use opensource solutions like portspoof or alternatives (https://github.com/drk1wi/portspoof)
- You can change any information (service, version, etc.) from the application source code
- You can change any information (service, version, etc.) from the network device with config files
- You can change banners of Servers or Services
- You can use honeypots for decoying
Further Reading Links:
- https://idiallo.com/blog/changing-apache-server-signature
- https://www.manageengine.com/network-configuration-manager/configlets/configure-banner-cisco.html
- https://support.kerioconnect.gfi.com/hc/en-us/articles/360015189340-Changing-SMTP-Banners
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_services#sec-Securing_NFS
- https://www.algosec.com/blog/decoy-deception-for-network-protection/
Berk KIRAS – Cyber Security Consultant
Hello! I know this is kinda off topic but I was wondering which blog platform are you using for this website? I’m getting tired of WordPress because I’ve had issues with hackers and I’m looking at alternatives for another platform. I would be awesome if you could point me in the direction of a good platform.
Very interesting details you have mentioned, regards for posting.