Imagine you’re a young cyber officer in the Russian military looking to break into the defended network of a NATO government. You identify a target, a person whose credentials you could steal to gain access to the network and then perhaps move from node to node, looking for sensitive information to exfiltrate. You send your target a phishing email. The target clicks the link. You’re in! But later on, you learn that the information you stole was meaningless and you may have exposed your own techniques or tools. Your adversary wanted you to succeed in the hack — to get information on you.
This is the value of honeypots, a deceptive cybersecurity practice that NATO used as part of its most recent exercise, NATO Cyber Coalition, which took place in Estonia and other locations from Nov. 16 to 20.
The exercise, coordinated through Estonia’s Cyber Security Training Centre, brought in more than 1,000 participants. Previous exercises have strived to mimic real-world challenges, such as Russian hybrid warfare techniques.
This year, “We put out] machines that are sacrificial, that are what we call honeypots or honeynets,” said Alberto Domingo, a technical director for Cyberspace at the NATO Supreme Allied Transform Command on a call with reporters and other observers on Friday. “The idea is that the adversary will find it easier to attack these machines without knowing and they will do that and we will be preserving the information for NATO and interacting with this adversary.”
This experiment took the concept a further than standard use of deception techniques, he said by “working with the adversary without his knowing...in order to derive: ‘what is their behavior?’”
The objective is to collect intelligence on the adversary without their being aware of it. “It’s answering the questions of who is the adversary? What type of adversary are we talking about? What do they want and what are they going to do next?” said Domingo.
The use of honeypots by governments is a relatively recent phenomenon.
In April 2017 Deborah Frincke, then NSA’s director of research, discussed how her agency had also begun to experiment with deceptive tactics as a means of gathering intelligence on adversaries.
During a breakfast put together by the National Defense Industry Association, Frincke said that a lot of commercially available cybersecurity software gave adversaries too much room to explore its vulnerabilities. It was too easy, she said, just to buy a copy of the software and hunt for an attack that didn’t set off obvious alarms.
“There are ways we can get defenses right and ways we can get defenses wrong. So if you always put out a system that always tells an adversary always when they’ve beaten it, that’s probably not the most productive way to proceed. If they sometimes will get feedback that’s incorrect, deceptive, that might be a better thing,” said Frincke. She said the NSA was looking at “Where might we go in terms of understanding defenses. We might think about defensive deception, for instance.”
Frinke said honeypots can give you a window into the adversary’s mindset. They can help answer such questions as “what will the adversary tend to do? How long will they keep at a task before they move? Can we use that to determine between a human] adversary and an automated system?…Can we make them go away, worn out, or become indecisive? That’s getting at what is the cognitive load of the system we’re throwing at them. Can we give them a little more information that might actually be counterproductive to them, especially if it’s sometimes wrong? So you can start playing those games of what the adversary is actually doing…and think about it from a psychosocial standpoint, how much does that buy you?”
Just a month after Frincke gave that talk, Russian GRU actors attempted to breach the presidential campaign of French politician Emmanuel Macron. But unlike the DNC in 2016, the French had advance warning that they were targets. Macron’s team set up their own honeypot defense.
“We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,” the campaign’s digital director Mounir Mahjoubi told the New York Times. “I don’t think we prevented them. We just slowed them down,” Mahjoubi said. “Even if it made them lose one minute, we’re happy,”
Ian West, the chief of NATO’s Cybersecurity Centre, wouldn't say whether NATO currently employs honeypots in real-world settings. “We can’t go into what we do or don’t do in terms of our tactics,” West said. “We use every defensive means that’s available to us in order to defend our networks.”
But according to Frincke, the NSA conducted a series of internal exercises, which led to some surprising findings. “Does attacker awareness of defensive deception change its effectiveness? By and large,” she said, “it doesn’t.”