Those rustlings in my attic, it turns out, were not the ghosts of my ancestors. They were mice, and they needed to go now, my wife insisted. After setting several top-of-the-line non-lethal traps, and waiting in vain for the mice to hop right in, I Googled “mouse trapping strategy.”
What I discovered was that my long-time experience in cyber security was directly applicable to my new-found mouse-trapping career. Because when you’re capturing intruders – both furry and digital – it’s not just the traps themselves that count, it’s where and how you place them.
Decoys and Mini-traps
Production decoys are a critical component of security infrastructure systems and are designed to detect attacks in progress. To attract attackers, these decoys are made to resemble the target system as closely as possible. Many solutions rely on attackers reaching these decoys by sniffing the network or via Active Directory.
The more sophisticated solutions on the market (like ours) actively lure attackers into the decoys. These lures (we call them mini-traps) exploit the fact that when the attacker infects a network asset, it is essentially blind. The attacker can’t tell where in the network it landed, so it starts looking for drives, other assets that were accessed from the infected asset, tools the infected asset is using, etc.
To make sure the attacker finds the mini-traps, we spread them throughout the organization’s assets. The mini-traps can be cookies, registry values, files, mounted drives of the decoy, ARP table values – all with fake credentials and fake data that attackers find irresistible.
So, Where to Put the Traps?
Now we get back to the mice. It turns out that mice – much like cyber attackers – are smart. If you want to catch them, you can’t put the traps in obvious places like in the attic itself.
Similarly, one of the key challenges in setting mini-traps to lure cybercriminals is to identify the best assets in the organization in which they should be planted. What’s the best methodology? Well, asking the guys on the security team is always a good start. But today’s technology offers an even more sophisticated approach.
Our solution scans network traffic and analyzes the applications being used on each asset, the communication graphs in the organization, the behavior of assets including Internet communication habits, and much more. Using this data, we profile the behavior associated with each network asset, and weigh the risks posed by its access. For example:
- An asset that never accesses any server in the organization – low risk
- An asset that accesses suspicious domains or domains with a bad reputation – high risk
- An asset running tools known to be prone to security issues – high risk
- An asset that show traces of mobile connectivity – high risk
To keep up with increasingly sophisticated cyberattacks, we need to adapt not only our toolset, but also our way of thinking. Decoys are only effective if attackers enter them, and the most powerful mini-trap is useless in a server that’s rarely even used. To draw attackers in, we need to look through their eyes and ask ourselves what assets would be most attractive. Once we know the level of risk associated with each network asset, we can place the mini-traps where they’ll be most effective.
If only we could develop a solution like this for mice.
>> For more information, read our white paper on Targeted Mini-traps Placement
Doron Kolton is CEO of TopSpin Security