The Channel logo

News

By | Darren Pauli 7th March 2016 08:30

Dell offers sweet, sweet, free honeypot tool to trap hungry hackers

Canary squeals when domain admin credentials are pinched

RSA 2016 Dell SecureWorks duo Joe Stewart and James Bettke have created a free honeypot loaded with fake domain credentials in a bid to help admins trap and block attackers.

The researchers built the Domain Controller Enticing Password Tripwire (DCEPT) tool designed to help organisations unmask hackers and shore up defences ahead of attacks.

Windows Active Directory credentials are among the most common and handy tools in an attacker's arsenal and the pair hope to foil those who access them with the tool.

Network administrators often use domain administrator accounts to access network computers. If any of those machines are compromised, attackers can swipe the credentials stored in cache using tools like Mimikatz.

"With this information, the attacker gains total control of the network," the pair say.

"These types of attacks can potentially terminate a company’s ability to do business.

"Espionage or advanced-persistent-threat-style attacks have used this technique for years to compromise networks and steal protected data."

The pair say the method is as common as it is effective, and has led to fleets of computers being permanently destroyed.

"Even with reliable and recent data backups, the manpower it would take to restore an entire enterprise network is daunting."

Stewart and Bettke, both seasoned forensic investigators, say solutions that identify anomalies are expensive and must be trained to capture normal behaviour.

The DCEPT tool launched at the RSA San Francisco conference last week will identify what credential or honeytoken was stolen and from which machine.

It sports an agent that drops honeytoken passwords into memory on endpoints, a network service that generates unique honeytokens at the request of an agent, and a sniffer service that looks at network traffic for signs that credentials are being stolen.

The tool can be downloaded from GitHub and is available as a Docker container. ®

comment icon Read 6 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'