How black hat hackers identify honeypots

Security

Criminal hackers have a reputation for being super-geniuses who can guess any password in seconds, hack any system and, with the push of a button, can rain chaos on thousands of networks that are not even connected to each other. At least that's how you see it in the Hollywood dream factory. Anyone who takes up the fight against cybercriminal elements on a daily basis knows that the "good guys" are often a bit smarter - or have to be. (Criminal) hackers, on the other hand, often just need patience.

Every year a few, few hackers do something really new. The rest is limited to the best practices and goals. In any case, you don't need a diploma to discover a missing patch or to force a social engineering attack. Basically, it's the same with hacking as in any vocational training: Once you know a few tricks and tools, the rest will gradually follow, followed by routine. On the other hand, it can be really inspiring if you keep an eye on the security specialists - the hackers the hackers.

We have summarized 15 of the smartest tricks against criminal hackers for you. Including some really nasty traps that cyber villains have to come up with to circumvent. If you read about a major hack in the near future, you can be almost certain that the person affected did not have these tricks in their repertoire. Do it better!

  1. US Democrats
    As part of a large-scale data theft, emails from the Democratic National Committee (DNC) are released. This not only ensures that many Americans break away from the Democratic Party - and its candidate Hillary Clinton - it also proves in the eyes of many people that Russia is influencing the US election in favor of Donald Trump.
  2. Dyn
    A massive DDoS attack on the DNS provider Dyn caused a stir in October: With the help of a botnet - consisting of thousands of inadequately secured IoT devices - cybercriminals managed to paralyze three Dyn data centers. Amazon, GitHub, Twitter, the New York Times and some other large websites are down for hours.
  3. Panama Papers
    Due to the sheer number of stolen data sets, the cyber attack on the Panamanian legal services provider Mossack Fonseca is one of the biggest hacks of the year: 2.6 terabytes of sensitive data are stolen from the company. With far-reaching consequences, because the documents reveal the methods with which more than 70 politicians and board members from all over the world "save" taxes with the help of offshore companies.
  4. Yahoo
    It wasn't until September that Yahoo had to admit the biggest hack of all time. There are now increasing signs that the same hackers had already outdone each other a year earlier: In a cyber attack in August 2013, the accounts of almost a billion Yahoo users were compromised. Names, email addresses, telephone numbers, dates of birth and encrypted passwords were tapped.
  5. NSA
    A hacker group called "Shadow Brokers" caused a sensation in October by attempting to auction hacking tools on the blog platform tumblr. The special thing about it: The cybercriminals claim to have stolen the toolset from the notorious hacker group "Equation Group". And it gets even better: While the "Equation Group" is repeatedly brought into connection with the National Security Agency, there is suspicion that the "Shadow Brokers" for their part have connections to Russia.
  6. Bitfinex
    The Bitcoin trading platform Bitfinex will be relieved by almost 120,000 Bitcoins (approx. 89.1 million euros) at the beginning of August 2016. The hacker attack simply undermines the company's multiple security authentication architecture, which was previously considered secure. Although this Bitcoin hack is "only" the third largest in IT history, Bitfinex is one of the largest trading platforms in this segment. Incidentally, the company distributes the loss "evenly" to its customers: 36 percent of each individual account is gone.
  7. Healthcare ransomware
    Admittedly, in this case, it's not one major hack, but many. Many many. In 2016, the healthcare industry in particular will be shaken by the increasingly popular ransomware campaigns that encrypt all files on a computer and only release them (or not) against payment of a ransom. On the one hand, this shows how lucrative the blackmail malware business is and, on the other hand, how far criminal hackers are willing to go when it comes to their monetary interests.

Use data on the defensive!

Defensive measures based on data have been around for a long time. In particular, concepts that use data to better detect, classify and eliminate threats have been increasingly used in recent years - almost all companies in the security sector have now jumped on this bandwagon. The rise of the cloud has also contributed to this, after all, the cloud enables the relatively simple collection and analysis of large amounts of data. The main progress is that the creation of data is now coming to the fore.

  1. Data loss
    If data loss occurs, there is a risk of fines, lawsuits, and harsh penalties. The processing of the whole thing and the information of the affected customers cause considerable costs. Indirect consequences such as loss of image and orders are not even included, which could keep a company busy for years.
  2. Stolen user data
    Data loss and other attacks often result from an authentication process that is too loose, passwords that are too weak and poor key management. Companies struggle with identity management when it comes to assigning access rights to user roles. When employees change jobs or leave the company entirely, their access rights are often adjusted too late or not at all.
  3. Broken interfaces and APIs
    The security and availability of cloud services - from authentication and access control to encryption and activity monitoring - depend on API security. The risk increases with the number of third-party vendors who develop new user interfaces based on the APIs because these companies must be granted access to services and internal data.
  4. Exploited vulnerabilities
    With the various forms of cloud usage on a rental basis, vulnerabilities are becoming an ever greater problem. Multiple companies share the same memory, databases and other resources - which in turn opens up completely new attack vectors.
  5. Account hijacking
    Phishing, fraud and software exploits are still successful - cloud services add another threat to these scams, because attackers can now eavesdrop on activities, manipulate transactions and change data.
  6. Insiders with bad intentions
    The danger from within has many faces: a current or former employee, a system administrator, a contractual or business partner. It's about the full range - from data theft to revenge. In the cloud environment, a determined insider can destroy the entire infrastructure and manipulate data.
  7. The APT parasite
    APTs (Advanced Persistent Threats) usually move sideways through a network and mix with normal data traffic - they are correspondingly difficult to detect. The large cloud providers use advanced security techniques to prevent their IT infrastructure from being compromised by APTs. Nevertheless, your customers are well advised to prepare themselves just as carefully for possible consequential damage to their cloud accounts as they would with on-premise systems.
  8. Permanent data flow
    The more mature the cloud becomes, the less it happens that errors on the part of the provider lead to data loss. However, malicious hackers have been known to permanently delete cloud data to harm businesses.
  9. Lack of care
    Particular care is required where a company would like to migrate to the cloud or work with another company via the cloud. For example, companies that fail to thoroughly examine a contract will never know how reliably and seriously the contract partner will act in the event of a security incident.
  10. Abuse of cloud services
    It happens that cloud services are misused to support criminal activities. In order to start a DDoS attack (Distributed Denial of Service) or to crack an encryption, a powerful hardware environment is required - and cloud resources meet this criterion.
  11. DoS attacks
    DoS attacks (Denial of Service) consume a large amount of computing power - the customer pays the bill. Even if broadband DDoS attacks are widespread and feared, companies should also be prepared for assyametric DoS attacks at the application level that affect security gaps in web servers and databases.
  12. Technology shared, danger doubled
    Different cloud providers share infrastructure, platforms and applications - if there is a vulnerability anywhere here, everyone is immediately affected. If, for example, a central component such as a hypervisor or an application has been successfully attacked, the entire cloud environment is immediately insecure.

Companies such as Crowdstrike, FireEye, CounterTack or ThreatMetrix offer products that analyze the data flows within your network. Not only are all outgoing connections checked for connections to known, malicious networks, but also researched for APT families that may already be in the network environment. Other security products such as Microsoft's Advanced Threat Analytics can help find out whether a criminal hacker is trying to crack your login database and, if so, how long he has been on the network.

Numerous other companies use their products to quickly detect spam, phishing attempts and malware - simply by comparing them with a global database. These companies can recognize regional and global behavior patterns - one company alone could not do this. So if your data is not yet incorporated into your IT security solutions, you should change that.

Fool you with dates!

Put some fake records on your network and let the criminal hackers snap it up. After all, it is quite difficult to plug all data leaks, and at least as difficult to examine all data in such a way that it does not produce an armada of 'false positives'. Instead, you should monitor your internal network with DLP (Data Leak Prevention) software and keep an eye out for your fake data on external sites - you've identified "your" hacker.

  1. Do you think ...
    ... the possibility of being able to defend your systems as thoroughly as possible and do you therefore try to do everything possible to protect all areas of the company a little better every day?
  2. Look ...
    ... look for new instruments, improve the functionality and depth of the existing security tools?
  3. Monitor ...
    ... all the sensors in your network - both visually and with technical means?
  4. Are you looking for ...
    ... continuously looking for new ways to better examine sensor data and relate them to each other?
  5. Dedicate ...
    ... increased attention to the security of your business-critical applications including the confidential data processed there?
  6. Try ...
    ... to understand your business better every day so that you can adapt and continuously improve the IT risk analysis?
  7. Keep ...
    ... keep an eye on your suppliers so that third-party access to confidential and sensitive data can be controlled?
  8. Work ...
    ... working closely with business decision-makers in order to keep attention to the topic of IT security constantly high and to generate awareness across the entire company?
  9. Move ...
    ... in new business areas in which disruptive technologies are used and in which you can develop your security activities before things get really serious?
  10. You lose ...
    ... never lose sight of the security basics - such as regular patching?

One hospital was particularly creative in creating the fake data and created fictitious patient files for which the names of the band members were used by Kiss - with small changes. Only IT and management knew that Ace J. Freelee, Gene H. Symmons, Petre L. Chriss, and Paulie S. Stanlee weren't real patients.

Lay out honeypots!

The use of honeypots further strengthens this approach. The "honey pots" are one hundred percent fake goods that are placed in production. The honeypot can take on almost any form, regardless of whether it is a server, client or network device. Once set up, every user who comes into contact with the honeypot should be examined for maliciousness. The use of honeypots is in stark contrast to traditional IT security measures: It is of great value and absolutely inconspicuous.

Companies such as Cymmetria or KFSensor offer commercial honeypots - there are also countless open source alternatives. You can also simply use old data that would otherwise be sorted out. This has the advantage that this data looks the most authentic to hackers.

Scour hacking news!

In order to be able to stay on par with the cybercriminals, it is important to know what they have in mind. Therefore, you should also regularly visit sites that are known to be up against cybercriminals. These are sites like Pastebin, but also certain sites on the Darknet