In an effort to win the war on cybercrime, Microsoft has used a creative form of phishing prevention-deploying very large honeypot environments to catch phishers via its Azure cloud. The tactic has allowed the company to harvest precious intelligence about phishing schemes while disrupting operations of cybercriminals before actual attacks could be staged.
Unveiled at a recent BSides event in Exeter, England, the project was teased as one of the most sophisticated usages of deception technology that the cybersecurity industry has ever seen. Entailing the creation of sham Azure tenants by Microsoft, the latter would be populated with hundreds of test users and mock data. Microsoft monitors the phishing sites daily and feeds them fake credentials with which to attack. That, in turn, has allowed the company to lure the cybercriminals into decoy environments where every action taken is logged and attributed to their tactics, techniques, and procedures.
This “honeypot” technology application enables Microsoft to spot developing phishing trends and neutralize the threats before they become huge, damaging attacks. According to Ross Bevington, Microsoft Head of Deception, the company tracks about 25,000 phishing sites a day, feeding credentials to about 20% of those sites. When the bad guys connect to those phony Azure tenants, Microsoft is then able to track their every move in real-time and collect data that might be useful for anticipating their next action in order to cut off their attempts.
A New Level of Deception
Until now, it’s a bit of a sea change in how organizations think about cybersecurity and threat intelligence. Honeypots-these are decoy systems intended to attract bad actors out into the open and then contain them within some sort of controlled environment-are nothing new. But Microsoft’s use of Azure cloud infrastructure for that same purpose gives the traditional honeypot a new dimension. The thing that is different in this deception campaign is the scale that’s made possible by dynamically spinning up cloud computing resources to build realistic, ever-changing environments to further confuse and mislead cybercriminals.
Chris Dukich, founder at Display Now, said that in particular, it was innovative how Microsoft used dummy Azure tenants to map out the phishing infrastructures. “This is a new level of deception that grants Microsoft the benefit of gathering intelligence about phishers around the world and neutralizing them before they fire off their attacks en masse,” Dukich said.
Furthermore, Stephen Kowski, Field CTO at SlashNext, considered Microsoft’s approach a very innovative use of deception tactics in the fight against cybercrime. “By leveraging their cloud infrastructure, they’ve created a more scalable and dynamic honeypot environment,” he said. “This approach provides real-time monitoring and analysis of attacker behavior in a controlled but realistic cloud ecosystem for deeper insight into sophisticated phishing operations.
Mind Games with Cyber Criminals
The founder of Bugcrowd, Casey Ellis, said that Microsoft’s decision to go public with details about the honeypot program could be a psychological play. “Deception technology isn’t something defenders often talk about,” he said. “By announcing that they are doing this, Microsoft is playing a bit of a mind game with the bad guys.” In other words, the fact that Microsoft has made this announcement may, in itself, keep cyber-criminals from attacking their systems because it now has such a potent countermeasure against them-tracking and analysis of their activities.
Ellis’s point raises another critical issue in deception technology: modifying the behavior of the threat actors. The majority of the organizations that use deception strategies deploy the strategies in silent mode, not to expose an attacker to the fact that there are decoy systems. But by making the existence of the honeypot’s public, Microsoft is sending an alert to the bad guys that they might be walking right into a trap, and that might give them cause for pause.
Challenges and Resources Required by Deception Technology
While Microsoft’s honeypot effort is a complex and high-impact tactic, experts caution that such deception technologies mightn’t be viable for every organization. Building out a large-scale deception environment does indeed require substantial resource investments of both technical skills and manpower, said Vaclav Vincalek, the founder of 555vCTO. “Deception tactics do take quite a few resources,” he said. “It needs to be properly set up, and then you need manpower to monitor it.”
Roger Grimes, a defense evangelist at KnowBe4, added most organisations simply don’t have the time or the staff to deploy such elaborate strategies. “The average organization just doesn’t have the time to do these types of research activities,” Grimes said. “When deception technologies are used, they are generally used for early warning to quicken incident response and reduce costs and downtime.”
Scale and resources, of course, are available to Microsoft in such a bold undertaking. For smaller organizations, however, much simpler deception techniques-such as the use of fake email addresses and websites or data-may be more practical. But let’s face it-the learnings from Microsoft’s large-scale initiative bring best practices to organizations of all sizes.
Artificial Intelligence Enhances Deception Capabilities
The other area that could also contribute towards the elimination of the burden created in managing honeypot environments at large scale is artificial intelligence. The director of threat research at Proofpoint, Daniel Blackford, says that AI may be used in emulating user behaviors that would look as natural as possible in a decoy environment. “Creating realistic or convincing deceptive environments becomes an ideal task to employ large language model AI,” he said. AI could also be used to fill those phony accounts with history, messages, and activity, making honeypots more convincing, and thereby more challenging for attackers to distinguish from the real deal.
Grimes said AI could make deception feasible for resource-constrained organizations. “AI could be a huge force multiplier for deception technologies, automating the creation of convincing fake environments and interactions,” he said.
Deception’s Role in Phishing Prevention
It represents one of the most enduring and destructive threats that any organization faces today. Where security technology has moved forward from what it was a few years ago, phishing campaigns have moved on to more advanced tactics, like multichannel phishing and leveraging trusted services such as OneDrive and GitHub to distribute their malicious content.
It can be a very useful tool, says Shawn Loveland, a cybersecurity expert with Resecurity. The idea behind this is essentially to spread decoy assets-fake emails, websites, and credentials-out there, so an attacker will hopefully fall onto them and find themselves within controlled environments where their tactics can be analyzed without real data being compromised. “This diverts threats from genuine targets while collecting intelligence on phishing tactics,” Loveland said.
Another reason phishing continues to be an emerging threat is because the attackers continue to leverage AI-powered tools in designing phishing messages that are all the more convincing. “The new AI-powered phishing tools, combined with personal data available to phishers, will fundamentally change things in the phishers’ favor,” Loveland said. As phishing continues to evolve, the protection of data and systems requires organizations to stay ahead of the curve, taking advantage of both deception technologies and traditional security.
Best Practices for Deception Technology
While deception can be a potent weapon against phishing, experts caution that it should not be relied on as the only defense. “Deception really works best when organizations couple the strategy with other security measures,” said Vincalek. A multi-layered approach to security will include phishing detection tools, employee training, and robust incident response protocols to effectively combat phishing.
Grimes said organizations should configure their deception technologies to mimic their real environments. For example, if an organization is a mainly a Microsoft Windows shop, it should ensure its deception systems masquerade as Windows systems, using the same default services and network ports. “One of the most common mistakes people make is they deploy a deception system that doesn’t resemble the real environment,” he said, adding this can be a dead giveaway to bad actors they are touching a decoy.
Deception in Cybersecurity: The Future of Security
But probably the most audacious and forward-thinking move in catching phishers is Microsoft’s honeypot initiative. Of course, not every organization will be in a position to mount such large-scale deception campaigns, but lessons learned from Microsoft’s effort can help inform more accessible deception tactics for businesses of all sizes. As cyber criminals continue to refine their methods and tactics, the deployment of deception technologies-underpinned by AI and backed up with good defense practices-will be integral to any robust cybersecurity strategy.
But, if anything, the cybersecurity landscape is complex and always evolving, and the only way ahead of an attack is through innovation and adaptation. Microsoft’s use of deception is a shining example of how to use creativity and technology to outsmart even the most resolute cybercriminals; it could well be the blueprint for future efforts in defending against phishing and other online threats.
Read More…
Read Other…
