Defense in Depth Using Deception Technology in InsightIDR

Welcome to the land of confusion and misdirection! Today, we are diving into the four pieces of

Another suggestion for honey users could fall under board members, consultants or contractors, building maintenance, and the executive team (such as the CEO, CIO, CFO, etc). These folks normally behave a bit differently than the majority of end users. For example, some consultants may only be on projects for particular time frames throughout the year or until a project is done, which means their account winds up lingering far after their completion or departure. These accounts also find themselves with non-expiring passwords, which can pose another threat if employees aren’t properly trained on best practices around password generation.

The best way to figure out what attackers might be able to see is to put yourself in their shoes and use your own OSINT capabilities to evaluate your company’s public footprint. If you can find LinkedIn accounts and/or leaked databases that contain company information, this would be what attackers are able to see. Depending on what is available publicly already, that is a great place to start with the types of traps we plan to set. Plenty of tools exist to enumerate from the outside, such as

Honey files

Next, we’ll break down honey files, which are also highly recommended and equally as valuable as the other deception features. Honey files can be leveraged to help detect or inform the team that something malicious could be brewing. For example, ransomware or any worm-like virus that is going to touch a lot of network files in a short amount of time does not demonstrate normal, human-like behavior, which would indicate some form of a script or automated attack in play.

Similar to other InsightIDR deception technology features, there is no limit on how many honey files you can deploy. You can also choose any file extension you desire, such as .pdf, .doc, /db, or .xls.

Another example would be password manager applications such as KeePass. KeePass uses password database files, and there are known exploits for applications of this nature out there, as well as automated tools that search for particular file extensions and attempt to auto-exploit. This would be an easy catch for the honey file, as any access to these is reported to the platform.

While this does place some decoys around the environment, another attack vector to consider are insider threats. Placing a few appealing documents/files across our network servers may lead to blocking a possible data exfiltration attack or a disgruntled employee looking to bring harm to the company/colleagues.

Honey credentials

Finally, that brings us to honey credentials. These are one of the easiest features to deploy, as they do not require any configuration from you other than deploying the Insight Agent to your Windows assets. This is an opt-in feature as well, so you would need to reach out to a Rapid7 resource such as a customer success manager to have this enabled.

When you opt in to the honey credential, a honeyhash will be inserted into memory on all your endpoints (Windows and Agent installed), for the avenue of someone running a memory scraping tool, such as Mimikatz, and then spraying and praying with those hashes as authorization using psexec and/or pass-the-hash attacks.

There is not a way to pick and choose which assets receive the honeyhash, as it is an all-or-nothing feature. This may interfere with third-party applications that may detect this type of behavior, it is simple to whitelist the process generated from this. If you want to see how easy running a memory scraping tool such as Mimikatz is, you can test it out following the instruction posted by Black Hills Infosec.

The common methods attackers use are still easily tripped up by adding some additional obstacles in your internal environment. It’s not enough to solely depend on the perimeter firewall—it’s time to start looking at the internal network that we can control. Most of the attacks carried out originate from the inside, whether that be disgruntled employees or unintentional attackers who may not even know they have been compromised. Keeping a good grasp of the assets and vulnerabilities is only part of the mission—and having these additional four elements is a must when handling today’s cyber-landscape.