Intruder detection

Honeypots (digital traps): Fake servers, devices or applications pretending to be real resources (e.g. database servers, virtual machines, cloud resources) attract the attention of attackers. Any interaction with the honeypot is considered suspicious, as legitimate users do not have access to these resources.

Example: An insurance company deploys a honeypot pretending to be a file server containing customer policies. An attacker, who has gained unauthorised access to the network, starts searching the resources and attempts to access this fake server. Any such attempt is automatically flagged as suspicious activity, resulting in an immediate alert being sent to the SOC team.

Honeynets: extensive environments that simulate the entire network infrastructure, allowing complex attacks to be monitored.

Example: government organisation installs a honeynet that simulates a complete IT infrastructure, including email servers, databases and backup systems. An intruder who interacts with this environment is observed and recorded, allowing early detection of an attack attempt and identification of the tools he or she is using.

Network scan detection: The deception solution generates false endpoints (e.g. IP addresses, services), which intruders can attempt to scan or attack. Such attempts are immediately detected.

Example: The web shop implements a deception solution that generates false IP addresses and services. When an attacker scans the network for open ports, their actions are immediately recorded and the source IP is automatically blocked by the firewall.

Fake data and systems: deception class solutions mislead attackers by providing false data (e.g. files with fictitious information, user accounts, passwords).

Example: telecommunications company creates fake administrative accounts and files simulating the configuration of network devices. The attacker gains access to this data, but it is designed to point him in the wrong direction while giving the SOC team time to react.

Traffic diversion: if an intruder gains access to the network, his traffic is directed to false resources, preventing him from reaching real systems.

Example: system intercepts the intruder's traffic and redirects it to a fake server simulating a customer base. The redirected traffic is monitored and the real system remains unaffected.

Obstructing analysis: false systems provide attackers with misleading information, e.g. by posing vulnerabilities that do not exist in the actual infrastructure.

Example: The intruder attempts to analyse a fake ERP (Enterprise Resource Planning) system, which is in fact a dummy. The server returns a set of fake vulnerabilities to the attacker, which extends the attacker's time, giving the SOC team extra minutes to block his activity.

Analysis of attacking behaviour: monitoring the attacker's activities in the honeypot environment makes it possible to identify the tools and techniques used, e.g. malware, terminal commands or attempts at privilege escalation.

Example: The attacker gains access to a honeypot pretending to be an email server. The deception solution monitors his attempts to extract data from the fake mailboxes, analysing the techniques used in the attack, such as the use of phishing tools or PowerShell commands.

Activity logging: The solution records the full course of the attack, allowing for subsequent analysis of the incident and enrichment of the Threat Intelligence knowledge base.

Example: The attacker carries out a brute-force attack on passwords in a fake database management system. All of his actions are recorded, including details of the tool used, the login pattern and attempts to escalate privileges. This data is then analysed by the Threat Intelligence team.

Identification of objectives: deception-class solutions can reveal which resources intruders are trying to locate, which helps in risk assessment.

Example: The intruder interacts with honeynet and attempts to access fake financial servers. The security team identifies that the priority target of the attack was financial data, allowing the protection of real assets to be strengthened.

Detecting lateral movement: attackers who move around the network in search of further targets are detected when they hit fraudulent systems or services.

Example: an adversary who has gained access to one of the computers on the corporate network attempts to move between segments in search of file servers. As it scans the fake resources created by the honeypot, the SOC team is alerted to the lateral movement.

Exploitation of false vulnerabilities: false systems can simulate specific vulnerabilities, encouraging intruders to exploit them, which immediately alerts the security team.

Example: company deploys a fake server with a simulated vulnerability to a known exploit. The attacker attempts to exploit it, resulting in the automatic generation of an alert and the blocking of its network traffic.

Isolation of the attacker's actions: attackers who engage with honeypots are kept in a false environment, limiting their ability to escalate privileges or gain access to real resources.

Example: An intruder who has gained access to a honeypot simulating a web application server is completely isolated from the real infrastructure. In fact, his actions are captured in a sandbox where the SOC team analyses his movements.

Generating alerts: Early notifications of suspicious activities allow SOC (Security Operations Centre) teams to take swift preventive action.

Example: The deception system detects that the attacker is attempting to use the privilege escalation tool on a fake system. An alert is immediately generated and its source IP is blocked across the organisation.

Automatic analysis: The tool sends data on detected threats to SIEM systems, allowing correlation with other events in the organisation.

Example: The deception system sends data about the attempted exploitation of the fake vulnerability to the SIEM tool. The tool correlates these with other events, such as network scanning attempts, to identify a potential attack campaign.

Real-time response: Thanks to integration with SOAR systems, suspicious IP addresses can be automatically blocked or infected devices isolated.

Example: integration with the SOAR system automatically cuts off the intruder's device from the network when it establishes a connection with the honeypot. The intruder's traffic is analysed and its methods documented.

Enriching Threat Intelligence: The information collected by the honeypots is used to update protection rules in EDR, NGFW or IPS systems.

Example: The honeypot detects that an attacker has used an unusual tool to exfiltrate data. This information is sent to the Threat Intelligence platform, which updates the threat detection rules of the EDR systems.

Elimination of erroneous detections: valid users do not have access to fake resources, so any interaction with the honeypot means a security breach.

Example: The deception class solution generates an alert when an intruder tries to access a fake logistics management server. As valid users do not have access to this resource, the alert is automatically flagged as trustworthy and escalated to the SOC.

Focus on real threats: deception system alerts allow SOC teams to focus on the actions of intruders, rather than analysing the large number of potentially false reports.

Example: the financial organisation's SOC team analyses the data from the honeypot and immediately focuses on suspicious intruder activity, rather than reviewing the thousands of irrelevant alerts generated by other tools.

Auditing and reporting: deception solutions record all the actions of intruders, allowing the effectiveness of protection measures to be proven during audits.

Example: a company in the energy sector uses honeypots to monitor attempted attacks on critical infrastructure. The data collected is presented in audit reports to prove compliance with regulatory requirements such as NIS2.

Risk reduction: The implementation of honeypots demonstrates the organisation's proactive approach to minimising threats.

Example: honeypots implemented at a technology company show that the organisation actively monitors breach attempts and takes a proactive approach to data protection, which is particularly important during GDPR audits.

Simulating attacks: false environments can be used to test incident response procedures.

Example: The company organises an exercise using a honeypot simulating an ERP system. The SOC team is tasked with identifying and responding to an attempted security breach. The simulation allows the team to practice incident response procedures under controlled conditions.

Raising awareness: monitoring the actual activities of intruders in artificially generated environments allows security teams to better understand the tactics of attackers.

Example: The security team analyses the actual actions of the intruder in the honeynet environment, learning what his modus operandi looks like and adapting future strategies to protect the organisation.