October 19, 2024 at 10:41AM
Microsoft is employing deceptive strategies against phishing by using realistic honeypot tenants to attract cybercriminals. This approach enables the collection of intelligence on attackers’ methods, facilitating infrastructure mapping, campaign disruption, and prolonged deception. Presented by Ross Bevington at BSides Exeter, it aims to enhance security and understanding of threat actors.
### Meeting Takeaways:
1. **Deceptive Tactics Against Phishing:**
Microsoft is employing honeypot tenants designed to mimic legitimate environments to lure cybercriminals and gather intelligence.
2. **Intelligence Collection:**
The data harvested allows Microsoft to map out malicious infrastructure, understand advanced phishing tactics, disrupt campaigns, and identify cybercriminals.
3. **Presentation Insight:**
Ross Bevington, Microsoft’s “Head of Deception,” presented these findings at the BSides Exeter conference, detailing their approach to combat phishing.
4. **Honeypot Strategy:**
Bevington developed a “hybrid high interaction honeypot” utilizing resources from retired platforms to monitor both novice and advanced cybercriminals.
5. **Active Engagement:**
Unlike traditional honeypots that wait for attackers, Microsoft’s method actively engages by logging into known phishing sites with honeypot credentials, thus drawing in attackers.
6. **Monitoring and Logging:**
Microsoft monitors approximately 25,000 phishing sites daily, providing 20% with honeypot credentials while the rest are blocked by security mechanisms like CAPTCHA.
7. **Data Analysis:**
Once attackers gain access, detailed logging captures their actions. This data includes IP addresses, browsers, geographic locations, and behavioral patterns.
8. **Deception Efficiency:**
The deception strategy effectively delays attackers’ realization of being in a fake environment by about 30 days, while collecting actionable threat intelligence.
9. **IP Address Correlation:**
Less than 10% of collected IP addresses can be tied to known threat databases, indicating a unique set of threat actors.
10. **Threat Attribution:**
The gathered intelligence assists in attributing attacks to financially motivated groups or state-sponsored actors, including notable threats like Russia’s Midnight Blizzard (Nobelium).
11. **Innovative Scale:**
While deception tactics in cybersecurity are not new, Microsoft leverages its extensive resources to pursue threat actors and their methodologies on a much larger scale.