The name of tool is supposed to be an acronym for Domain Controller Enticing Password Tripwire. However cringe-worthy you might judge the name to be, it’s actually fairly accurate. This defence mechanism against hackers works on the basis of deception.
The tool spreads fake credentials called honeytokens into the system’s memory. They mimic domain administrator’s login credentials. The real ones would naturally be a very desirable target – a lot of hacking incidents have happened precisely because hackers got their hands on these credentials. Network admins usually use domain administration accounts to access computers in the network. However, some hacking tools like Mimikatz can later pry the login details out of the memory. And with these in hand, hackers can completely take over a network and inflict huge losses on the targeted company.
Thanks to DCEPT, hackers steal only fake credentials that are worthless and also monitored by a system designed to catch attackers. When they try to access the tokens in the memory, the monitoring system will see the attempt and will notify the administrators. Even this could prove invaluable to many companies – studies have shown that some firms notice a hacking attack only after several days have passed. And some data breaches take more than a year to get noticed.
When a hacker later tries to actually use the stolen honeytoken to get administration access, he’s spotted as soon as some of his first login packets hit the servers.
“The DCEPT is an interesting concept that will allow a better credentials theft detection in Windows networks” – CTO of Master Internet Martin Žídek
The smart people who came up with this new tool are James Bettke, a researcher in Dell’s SecureWorks team and their malware research director Joe Stewart. They decided to make DCEPT free for everyone. “We wrote a component caching fake credentials… and a second one that looks for their use on the network. We thought: ‘Why not release this as open source?’” Bettke said.
The tool is now freely available on GitHub, a website for sharing source code. Its authors say that the code can be changed to even use different forms of tokens and detection, like ones for database entries or email addresses. As of now, DCEPT consists of three parts: an agent for placing the fake login details into memory, a generation server creating the fake passwords and a sniffer that looks for their use across the network.
If this method takes off and works as their authors promise, it could soon prove to be an invaluable tool for many administrators worldwide.