Microsoft's Honeypots Lure Phishers at Scale - to Spy on Them and Waste Their Time (bleepingcomputer.com) 14
A principal security software engineer at Microsoft described how they use their Azure cloud platform "to hunt phishers at scale," in a talk at the information security conference BSides Exeter.
Calling himself Microsoft's "Head of Deception." Ross Bevington described how they'd created a "hybrid high interaction honeypot" on the now retired code.microsoft.com "to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure," according to a report by BleepingComputer: With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity... Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing...
In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants. Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap. Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms.
Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors' tactics, techniques, and procedures. Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on... The deception technology currently wastes an attacker 30 days before they realize they breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.
Calling himself Microsoft's "Head of Deception." Ross Bevington described how they'd created a "hybrid high interaction honeypot" on the now retired code.microsoft.com "to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure," according to a report by BleepingComputer: With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity... Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing...
In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants. Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap. Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms.
Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors' tactics, techniques, and procedures. Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on... The deception technology currently wastes an attacker 30 days before they realize they breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.
Re:Yeah, very cool idea (Score:4, Interesting)
Not necessarily. These bots are there anyway. They will attack no matter what, you might as well be aware of what they are trying to do
I use a custom cms on 100+ sites and for a while I just responded with a 200 no matter what. Most of the time it would be wordpress, drupal exploit attempt, so I served it a fake wordpress login... bots would then attempt various exploits... It was very informative to see how they tried to do various injections, tried to fingerprint software, etc. I then would aggregate this into useful info and even filter from logs humans from spiders (they don't always announce themselves)
As an admin, it's good to know what is happening - whether you pay attention to it
Re: (Score:2)
I use mod_security to log all those hacking requests, very informative indeed.
Re: (Score:2)
I forgot to mention, don't forget to rate limit your logging of bad requests so it doesn't become a vulnerability for DOS attacks. I do this with iptables logging so some refused request aren't logged when there are too many. For web servers, I use a central reverse-proxy for 50+ web sites and limit bad requests logging and limit how many connections a site behind the reverse-proxy coming from the internet can use with mod_qos.
Reverse proxy takes in charge SSL so central certificate management and always up
Re: (Score:3)
But eventually you will tie up all your bandwidth with bots fighting bots, and all on the same server. The cyber wars begun they have, heh, a long time ago
You can easily limit the bandwidth used and you can even use tarpit to make them use more resources while your server don't use more for each connection.
It's nice Microsoft has discovered those techniques, I have been running honeypots and similar since ~1998. I even catch connections attempts to legitimate servers at the firewall level. For example, move the legitimate server standard ssh port to something non-standard and catch connection to port 22 at the firewall and tarpit them, taking care of disablin
They've Got the Wrong Guy (Score:2)
to Spy on Them and Waste Their Time
Microsoft must think I'm a phisher. Holy shit . . . am I actually one and never realized it?
Not a big deal? (Score:2)
Re: (Score:3)
It has been standard practice for at least a decade. It has been done for something like 40 years. Seems like Microsoft is late to the game. As usual.
As to their recent hilariously bad screw-ups, add the losing of security audit logs.
I prefer YouTube (Score:3)
One thing I have to say for Microsoft... (Score:3)
They do have a lot of expertise when it comes to filling up people's time with non-productive activities (broken Windows activation, viruses, etc.).
Re: (Score:2)
I would go so far to say that is the only thing they do competently these days.
Fianlly! (Score:3)
"Head of Deception" indeed. Microsoft has spent many years deceiving and spying on their users. At last they're putting the skills they've acquired to good use by going after actual criminals. Too bad they probably won't stop abusing their customers though.
Cloudflare (Score:2)