20

My take on reducing the risk of being hacked on products and installation have often been to create false footprints.

From my own experience, the servers I've spent most time (and hate) on hacking have been those that have claimed to be something they are not.

For example faking services on certain ports that imitate a Windows 2008 server, while in fact the server is a completely different type.

Given of course that one takes all normal approaches to system security, first the traditional with code reviews, system hardening etc - then offensive security testing with penetration testers.

What are the downsides?

I specifically appreciate links to articles and sources on the topic.

Am I fooling myself that this has any effect? I know personally that I am triggered by the first sign of a specific system and would waste time. Most likely increasing (A) the chance of me giving up and trying another approach (or another server/service/target) and (B) the chance of discovery and back-tracking from the attacked target.

Simply G.
  • 518
  • 3
  • 12
  • 3
    Note that you increase the risk of some script kiddie being annoyed by you and unleashing its full power on your serves... ^^ – PlasmaHH May 09 '16 at 08:40
  • 4
    Considering how many script kiddies try all kinds of web software vulnerabilities on servers where that software isn't even installed, do you think something like this would reduce the number of attacks that your actual systems are vulnerable to? – user May 09 '16 at 09:11
  • 1
    @MichaelKjörling Yes I think so. It is my assumption that many attackers use the same approximate toolbox that I have and have a decent similar approach as the first wave of attempts. Footprint -> Scan -> Identify -> Run standard vulnerabilities/exploits on Identified services etc that match. Creating custom attacks and fuzzing to create your own payloads is an ugly time-consuming activity that only rarely give results (unless I guess if you are really, really good at it). – Simply G. May 09 '16 at 10:33
  • @PlasmaHH You always have to take into consideration the people that simply have too much time on their hands. I am mostly worried by professional criminals that (again an assumption) will weigh time invested versus potential result/payday. – Simply G. May 09 '16 at 10:35
  • @SimplyG.: The professionals will take a few seconds to minutes to determine which services are fake and which are not. – PlasmaHH May 09 '16 at 10:40
  • @PlasmaHH - Some day I'd like to put that to the test. For example post a pricetag on some forums and see how many thinks its a Windows Server 2008 with an IIS 6.0 on it. As mentioned, its hard to get people to pay for security, especially this kind of measures. – Simply G. May 09 '16 at 10:57
  • 1
    @SimplyG.: It is not so much a matter of how many think it is, it is about the right people thinking it is. I have for a while been writing service fingerprinting software, and the more complex a service is, the more likely you will be able to find a tiny difference, which then can be automated. – PlasmaHH May 09 '16 at 11:02
  • 2
    Obscurity == Intended Misdirection –  May 09 '16 at 17:45
  • @Zymus "Security through obscurity" typically refers to assuming that some secret knowledge of the inner workings of your system (i.e., something about the algorithms or set up itself, not a password/key/etc.) protects you by virtue of being unknown by your attacker. In reality, such "secrets" can often be discerned from data the attacker can obtain. This is a little different, in that you don't expect the attacker to remain indefinitely aware of the misdirection, but rather that you expect it to occupy their time and reduce the amount of time they have to spend on real attack vectors. – jpmc26 May 10 '16 at 01:25
  • Points well made, taken and edit made. – Simply G. May 10 '16 at 04:35

2 Answers2

25

It's a lot of work. Not only that, but it's a lot of work that your (legitimate) users will never see or benefit from. Most people would be willing to trade off the nebulous risk of deterring a small subset of hackers (realize that APT hackers, in particular, wouldn't be dissuaded and might even find an extra way into your system if you do something wrong setting up your fake services) in exchange for developing real features that will attract real (paying) customers.

If you've convinced yourself that you're a real target, sure, set up some honeypots (at least then you can invest in measuring how many attempts are being made on your "misdirection servers"). Security is already expensive, and you're talking about adding extra cost, so make sure it's worth it.

  • 2
    Just one more point, adding that much extra complexity would instead weakens the overall system by increasing the chance for exploits and bugs, good answer. – CoffeDeveloper May 10 '16 at 08:47
24

Note: I like honeypots a lot but to answer your question some negative aspects include:

You are not reducing your workload.

You are increasing the amount of signals you have to process.

You are increasing your operating costs.

You are taking time away from other security activities which may otherwise help protect actual data & services.

You may be increasing risks to yourself and others by giving the bad actors another machine to launch attacks from, even if they are not aimed at yourself.

You are increasing the work asymmetry against yourself and in the favor of the attacker in an effort to "hopefully" increase the attackers work at a future point in time. This may or may not ever pay off.

Again those are just some potential answers to your question. I think there is an appropriate time for a mature security program to do this but all of the other more important tasks would need to be in place first. Too often I see people focus on what is sexy rather than what is needed so that would be my biggest concern when prioritizing this. These can be very useful if implemented wisely -and- you can make it so that it's cost-effective.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • Thank you, I must add that I am not talking about a traditional honeypot. This is making the standard system/installation appear like its something else, not setting up a separate system that looks interesting to lure potential attackers? – Simply G. May 09 '16 at 06:41
  • 5
    Oh, and one more thing: You might also waste the pentester's time if you don't tell them about the fake setup - which might only cost you money and does not help you discover *real* vulnerabilities. – Lukas May 09 '16 at 07:41
  • 3
    You also attract traffic from the ppl you fool. – waltinator May 09 '16 at 17:26