Intrusion Detection Through Cyber Deception: Disrupting Attacks With An Active Defense

We should do our best to ensure our network and pipeline perimeters are secure and make it hard for attackers to gain access. However, the reality is that intruders will stop at nothing to gain access, as evidenced by the Uber, CircleCI, and Dropbox breaches, just to name a few.

Common to all of those incidents was the attacker's behavior once they were inside. Each time they quickly found and exploited hardcoded credentials, giving them further access. Since we know this is something attackers do time after time, it is time to turn this behavior against them by engaging in some blue team cyber deception and start planting honeytokens in our environments.

Deception Techniques - More Than Meets The Eye

The idea of deception is not a new one, nor one limited to the field of cybersecurity. Deception is simply leading someone to believe something that is not true, typically in order to gain some personal advantage. This is something robots have been doing for millions of years, according to some legends. Deception has been around in human history for a long time, too; in the 5th century BC, Sun Tzu said in The Art Of War, "all warfare is based on deception."

Deception, like many concepts, can be used for good or evil. In the most benign sense, deception can be fun and harmless, as is the case with magic tricks or optical illusions. But deception can also mean lying or deceiving someone, as is the case with fraud or impersonation to commit theft. The fact that deception itself can be used with noble or devious intentions applies to how we can use it in the world of cybersecurity.

What Is The Aim Of Cyber Deception?

More relevant to us, though, is the evolution of cyber deception; tactics used to trick an online adversary during an attack. When done as the attacker, this normally means acting unethically. This can mean impersonating someone who has specific authority or clearance in order to gain unauthorized access. Or it could mean setting up a misleading URL in order to phish login details or sensitive information, like credit card numbers.

Cyber deception can be used for defense as well, and without any moral issues to worry about. Most security experts agree it is always ethical to use deception to trip up an attacker. Setting up false systems that lure attackers to waste their time while sounding alarms and logging their information is a pretty good defensive maneuver.

The Benefits of Cyber Deception Technology

As technology advances at an ever faster pace, it becomes increasingly harder to keep up with how attackers can gain access. You can spend all your time updating WAF rules, hardening MFA recovery paths, and updating allow lists or egress paths, but as we have seen in many recent attacks, all it takes is one successful phishing attempt to grant a bad actor the initial access they need to your mission-critical systems.

Unlike defensive strategies based on blocking access, cyber deception assumes that attackers can and will eventually get in. Once they are in, we should be doing everything we can to slow them down, lead them to dead ends, and ideally get them to announce their presence to the security team so they can be dealt with immediately.

The goals of a defensive cyber deception approach include:

  • Detect attacks in progress

    • In 2022, the average time to detect an attack was 202 days. Ideally, you want to catch them as close to the initial penetration as possible to prevent them from gaining further access.
  • Decrease dwell time for attackers who do breach your perimeter

    • Catching an intruder after they have been in the system for weeks means they have had plenty of time to copy data, escalate privileges and do anything they please. By the time the security team can review the logs and spot unusual behavior, it is often far too late, and the damage has already been done.
  • Provide reliable alerting with a low signal-to-noise ratio.

    • In normal day-to-day operations, developers and operations people should not trigger alarms, nor even be aware these traps even exist. Alarms should be triggered by unexpected behaviors, like attempting to use keys that are not required for legitimate reasons. The fewer false alarms, the better.
  • Provide detailed logs of attacker activities.

    • Simply knowing someone has intruded into your perimeter is not enough; you need to know, at minimum, when they triggered the alert, their IP address, and what specific event triggered the alarm.

Practical Considerations For Cyber Deception

There is a wide range of tools and approaches available to implement defensive cyber deception, from setting up false documentation to setting up entire functional networks that are not actually related to real production systems. The drawback to a lot of these approaches is the time and effort they require to set up and maintain, not to mention the costs associated with running false applications. Unless you have a bottomless security budget and an inexhaustible security team, then you are going to need to choose how to deploy a cyber security strategy that is effective, yet easy to deploy and cost-effective.

Looking back at the common behavior of intruders, the fact they almost always try to find and exploit any credentials they can find, it becomes clear that one good approach would be to plant false secrets that send alerts if they are touched. The good news, this is a well-established pattern we call honeytokens.

Deception Technology Using Honeytokens

In simplest terms, honeytokens are false credentials that do not grant any real access but instead trigger alerts when they are used. Other names for honeytokens include canary tokens, canary traps, or honey credentials. Once an alert is raised, your team can work to stop the attack immediately.

GitGuardian released an open source project that lets you build your own honeytokens using Terraform and AWS, called ggcanary. With ggcanary, you can create false AWS keys, some of the world's most coveted and prized credentials. For a deeper dive into ggcanary, check out our webinar with founder Eric Fourrier that walks through use cases and answers common questions about the free and open source software. We have also created a step-by-step guide to help you set up ggcanary and start deploying your own honeytokens in no time.

Honeytokens vs. Honeypots

You might have heard of another related cyber deception strategy, honeypots. In fact, honeypots predate honeytokens and where honeytokens derive their name. Honeypots are typically entire IT systems set up to fool attackers. Usually, this is done to trick the bad actor into digging in deeply, repeatedly proving their bad intent. Honeypots are also associated with law enforcement to collect information on criminals who are performing illegal activities online. Honeytokens are a subset of honeypots, focused on single points like credentials, certificates, or other individual files, rather than entire operational applications or networks.

Is My Business Mature Enough For Honeytokens?

Like all other technology, honeytokens and, cyber deception overall, started as complex, expensive, and best left to teams that had dedicated staff to handle the overhead. Fortunately, advancements in how we deploy our infrastructure, especially as Infrastructure as Code has matured, meaning that if your business is advanced enough to use tools like Terraform and AWS, then you are absolutely ready to embrace and deploy honeytokens.

While easy, it is not entirely without costs or management overhead. However, if your applications are mission-critical and worth protecting, honeytokens are a reasonable approach to intrusion detection and mitigation. Remember, most cyber criminals don't specifically target a business; they are rattling the doors and windows of any and all applications on the internet, looking for anything to exploit. Having this extra layer of alarms can mean the difference between an attacker completely owning your applications over time or your team immediately ejecting them shortly after the breach starts.

Cyber Deception Coverage

Another factor to consider is the number of defensive deception assets you need for this approach to be effective. One way to think of this is the ratio of real assets versus deceptive assets in your network. This ratio is generally referred to as your cyber deception coverage. While there is no magic number to share here, in general, the lower the number of real targets vs. false targets will result in a higher number of times an attacker will be misled. For some assets like hardcoded secrets, the real number should always be as close to zero as you can achieve, and the number of false credentials should be as large as the budget and bandwidth allow.

Get Started With Honeytokens Today

While in an ideal world, our perimeter defenses would be unbreachable, the reality is attackers are persistent and always finding new ways around the barriers we put up. However, once they are in, almost all attackers behave fairly predictably, and we can use this and a little cyber deception to our advantage to trick them into revealing themselves.

You can get started using honeytokens in a very short time by leveraging ggcanary. No matter how mature your business is, if your applications are worth protecting, then you should consider deploying honeytokens to help find and stop attackers in their tracks.


The GitGuardian Honeytoken module is now available!

Read the release announcement for more information, and watch the demo to see what GitGuardian Honeytoken is all about.