Summary

Traps and deceptive measures are measures that seem to be real systems, services, applications, environments, and so on, but they're not. Deceptive measures are intended to provide false information to attackers and mislead them so that they do not focus their attacks on real systems and the network.

A trap is supposed to make an attacker stay in one place so that data concerning the attacker's actions can be gathered. Major types of traps and deceptive measures include honeypots, computers designed to lure attackers, automated messages, messages sent to a user when usage of a system or application appears to be unauthorized or anomalous, trojaned commands, commands that provide misinformation , jail environments, and special shell environments that appear to be bona fide environments.

Some of the advantages of traps and deception include providing a moving target, increasing the time and work factor involved in attacking systems, reducing the likelihood of damage to systems and networks, allowing more time to plan a suitable course of action, providing data that traditional tools generally miss , diminishing attackers' confidence, yielding intelligence data, and helping to educate and motivate management concerning security problems and solutions. Some disadvantages include the amount of work and resources required in a successful deception effort, the challenge of setting up credible deception measures, the possibility that these measures could backfire, and the challenge of integrating traps and deception measures into the IT mainstream.

This chapter focused more on honeypots than on any other type of traps and deceptive measures because of their growing popularity. We emphasized that careful planning in terms of conforming each honeypot deployment to an organization's policy, defining the purpose of each honeypot, obtaining necessary approvals , and developing appropriate procedures for operation of honeypots is critical. Resolving deployment issues ‚ the type and quantity of honeypots used, the look and feel of each honeypot, the platform that houses each honeypot, where the honeypot(s) will be placed within the network, and how each honeypot will be secured ‚ is also essential.

You will also have to decide whether or not to advertise each honeypot. Performing a security evaluation and testing each honeypot to help ensure that it will be able to withstand attacks are both necessary in a successful honeypot deployment. We took a brief look at the Deception Tool Kit (DTK), which provides fake services using state-machine scripts written in Perl. DTK logs timestamped keystrokes and can even provide real-time alerts that attacker activity is occurring. Honeypots cannot be considered mainstream security measures, but they supplement these measures well by deterring and deflecting attacks as well as by providing data that often cannot be obtained elsewhere.

Traps and deceptive measures are useful in four of the six stages of incident response, namely the preparation, detection, containment, and follow-up stages. Being able to swap out a victim machine or account with a bogus one is particularly valuable in containing attacks. Traps and deceptive measures can also provide valuable "lessons learned" for incident response efforts by providing data that can be used in modifying policies and procedures as well as in other ways.