Dell brought out a honey-filled trap for hackers. It lures them with fake credentials
Hackers caught with fake credentials
A hacker combing through a company network stumbles on a lucky find – the memory of one of the servers holds login credentials of an administrator.
And already he’s made a mistake. The trap has sprung.
The hacker tried to take hold of fake credentials that were intentionally left there by the server’s defenders. They will help them to better monitor and identify further attacks.
That’s how a new tool called DCEPT made by Dell’s experts should work. It should make life easier for admins and more difficult for hackers. And best of all, the DCEPT is free and open source.
The name of tool is supposed to be an acronym for Domain Controller Enticing Password Tripwire. However cringe-worthy you might judge the name to be, it’s actually fairly accurate. This defence mechanism against hackers works on the basis of deception.
The tool spreads fake credentials called honeytokens into the system’s memory. They mimic domain administrator’s login credentials. The real ones would naturally be a very desirable target – a lot of hacking incidents have happened precisely because hackers got their hands on these credentials. Network admins usually use domain administration accounts to access computers in the network. However, some hacking tools like Mimikatz can later pry the login details out of the memory. And with these in hand, hackers can completely take over a network and inflict huge losses on the targeted company.
Honeypot or a honeytoken? Where's the difference?
A method that is getting more and more popular when fighting against hackers – the so-called honeypots. These are fake systems that are supposed to lure an attacker – they might not have a patch for a widespread vulnerability, for instance. They look tempting from the outside, but don’t actually contain anything of value. A system like this can help uncover an attack and it also helps by slowing the attackers down. While they’re trying to overcome its defences, they’re leaving the actually valuable systems alone. This gives the administrators more time to come up with a counter-move or to actually notice an attack in the first place. Honeytokens, on the other hand, work on a principle that is a bit different. Instead of simulating a whole system, it gives the attacker fake login credentials and monitors their access and further uses.
Thanks to DCEPT, hackers steal only fake credentials that are worthless and also monitored by a system designed to catch attackers. When they try to access the tokens in the memory, the monitoring system will see the attempt and will notify the administrators. Even this could prove invaluable to many companies – studies have shown that some firms notice a hacking attack only after several days have passed. And some data breaches take more than a year to get noticed.
When a hacker later tries to actually use the stolen honeytoken to get administration access, he’s spotted as soon as some of his first login packets hit the servers.
The smart people who came up with this new tool are James Bettke, a researcher in Dell’s SecureWorks team and their malware research director Joe Stewart. They decided to make DCEPT free for everyone. “We wrote a component caching fake credentials… and a second one that looks for their use on the network. We thought: ‘Why not release this as open source?’” Bettke said.
The tool is now freely available on GitHub, a website for sharing source code. Its authors say that the code can be changed to even use different forms of tokens and detection, like ones for database entries or email addresses. As of now, DCEPT consists of three parts: an agent for placing the fake login details into memory, a generation server creating the fake passwords and a sniffer that looks for their use across the network.
If this method takes off and works as their authors promise, it could soon prove to be an invaluable tool for many administrators worldwide.