Dell Open Sources DCEPT, a Honeypot Tool For Detecting Network Intrusions (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Dell Open Sources DCEPT, a Honeypot Tool For Detecting Network Intrusions (helpnetsecurity.com)

Posted by BeauHD on Tuesday March 8, 2016 @09:34AM from the not-to-be-confused-with-honey-bucket dept.

An anonymous reader writes: Dell SecureWorks researchers have developed a tool that allows Windows system administrators to detect network intrusion attempts and pinpoint them to the original source (i.e. a compromised endpoint), and have made it available for everybody. The tool is called DCEPT (Domain Controller Enticing Password Tripwire). It consists of: The DCEPT Generation Server, which creates unique honeytoken credentials for Active Directory (AD), the Windows component used by network administrators to manage accounts, processes, and permissions on devices within their domain. The DCEPT Agent, which introduces them daily into the memory of each endpoint on the network. The DCEPT Sniffer, which looks for Kerberos pre-authentication packets destined for the AD domain controller that match the honeytoken username. If it detects one, it alerts the network administrator and points towards the compromised workstation. DCEPT has been open sourced and is available on GitHub, along with instructions for deployment.

37 comments

Min score:

Reason:

Sort:

Worthless by 110010001000 · 2016-03-08 09:36 · Score: -1, Troll

Worthless. If you are running Windows your network has already been compromised.
1. Re: Worthless by Anonymous Coward · 2016-03-08 10:04 · Score: -1
  
  Or Active Directory. Bugs with it typically affect all of your systems that use it. It's the same reason when I work on classified software we stopped using Yellow Pages.
2. Re:Worthless by Anonymous Coward · 2016-03-08 10:20 · Score: 0
  
  Worthless. If you are running Windows your network has already been compromised.
  Speaking of worthless, it's 2016 and the Year of the Linux Desktop is still a fucking pipe dream.
  If you're running anything other than Windows in business, your revenue potential is likely compromised.
  - Fellow Troll
3. Re:Worthless by 110010001000 · 2016-03-08 10:23 · Score: 1
  
  Hate to break it to you: but you are already running Linux in your business. You just don't know it.
4. Re:Worthless by Anonymous Coward · 2016-03-08 10:58 · Score: 1
  
  Hate to break it to you: but you are already running Linux in your business. You just don't know it.
  Hate to break it to you, but the CxO doesn't really give a shit beyond their Outlook, Internet Exploder, Exchange, and MS Office toolset.
  One could argue that Java runs the world, except that CFOs still think you're talking about a pot of fucking coffee.
5. Re:Worthless by Anonymous Coward · 2016-03-08 11:44 · Score: 0
  
  Depends on what kind of business and on what kind of task.
6. Re:Worthless by Anonymous Coward · 2016-03-08 13:21 · Score: 0
  
  I have Windows, FreeBSD, OpenBSD, Macs, Cisco IOS, and an old SystemV box. All phones are Windows or iPhones. There is no DD-WRT, Linux NAS boxes, or Android phones. Please point to the Linux.
7. Re:Worthless by Anonymous Coward · 2016-03-08 15:00 · Score: 0
  
  The Cisco Nexus switches in your data center. The Cisco VOIP phones. Your security cameras. Your APC UPS. Your McAfee Email Gateway. wait, there's more, but I'm getting bored.
8. Re:Worthless by Anonymous Coward · 2016-03-08 15:17 · Score: 0
  
  Oh yeah, the F5 load balancers, the TVs in your video wall, AMX controllers, polycoms, tandbergs (the non0windows ones), the bluecoats, the Intrushield NSPs, the Sourcefire sensors, your EMC VNX+ series storage (if you still have CX3's or CX4's, congrats - you are running Windows XP embedded - and relying on a "custom" (secretly Linux-based FLARE OS) as the backend), your NETAPP (we all know what's really in there), vmware (yes, every friggin piece - except vcenter *on windows with SQL server*, but even then the friggin HV is linux), Citrix, OpenStack, bored again... I intentionally left the Isilon storage nodes off the list, but they are FreeeBSD based disasters of OSS hell...
  And I pick on the devices/OSS but love it.
  I challenge you to accurately describe your secure, enterprise infrastructure in a way that truly precludes Linux in *SOME* product (BTW: I'll bet a year's pay you lose).
Bandaids instead of a cure by Anonymous Coward · 2016-03-08 09:38 · Score: -1

Here's a better way to prevent intrusions: Stopping let Winders clients and Winders Server on your network. Stop treating symptoms and just cut out the cancer.
And to start the Admin UI you would click on the by HumanWiki · 2016-03-08 09:39 · Score: 5, Funny

DCEPT Icon?
Point-and-grunt by Anonymous Coward · 2016-03-08 09:40 · Score: -1

Requires running shell scripts? Welp that eliminates 99% of all Windoze Admins who can't use anything without a point-and-droll interface.
Re:And to start the Admin UI you would click on th by Anonymous Coward · 2016-03-08 09:47 · Score: 0

... there are no words... this just made my day. Thank you sir
Re:And to start the Admin UI you would click on th by BeauHD · 2016-03-08 09:53 · Score: 1

*slow clap*
Re:And to start the Admin UI you would click on th by Anonymous Coward · 2016-03-08 09:54 · Score: 0

Mod this fucker up!
Tripwire? by ickleberry · 2016-03-08 09:55 · Score: 2

Misread as 'tripeware', which tbh is all I can imagine it being when Dell has put their name to it
1. Re:Tripwire? by httptech · 2016-03-08 16:37 · Score: 1
  
  Well that's kind of hurtful...
2. Re:Tripwire? by Anonymous Coward · 2016-03-09 01:10 · Score: 0
  
  Its SecureWorks, not Dell. Big difference.
A Honeypot tool for detecting Windows intrusions by tetraverse · 2016-03-08 09:55 · Score: 1

"DCEPT (Domain Controller Enticing Password Tripwire) is a honeytoken-based tripwire for Microsoft's Active Directory." ref
Re:And to start the Admin UI you would click on th by HumanWiki · 2016-03-08 10:01 · Score: 1

Thanks all.. It certainly does have the potential to Transform security.
Re:A Honeypot tool for detecting Windows intrusion by codeAlDente · 2016-03-08 10:06 · Score: 1

I, for one, consider this more of a honeydick than a honeytoken or a honeypot.

--
He once inserted random mutations into his code, just so he could have the experience of debugging.
Re:And to start the Admin UI you would click on th by ItsJustAPseudonym · 2016-03-08 10:31 · Score: 1

Humor in disguise.
The Year of Open Source on the Planet by wjcofkc · 2016-03-08 10:45 · Score: 1

For the longest time the never arriving "Year of Linux on the Desktop" was to herald the success and legitimization of Open Source Software. Perhaps we were a bit narrow minded. Linux as a desktop OS, however popular and yes I am a user of 20 years myself, is dwarfed in the world of Open Source by so many massively successful and important products. Over the last couple of years we have seen many major companies, traditionally closed source all the way, begin to Open Source massive products. Even Microsoft, as they migrate their business model to a cloud company, is increasingly investing efforts in Open Source. Likely there will always be closed source platforms, but it is looking increasingly likely that they will wholly depend on a larger Open Source ecosystem. The year of Open Source is here and now.

Awaiting rebuttals, criticism and commentary.

--
Brought to you by Carl's Junior.
1. Re:The Year of Open Source on the Planet by rahvin112 · 2016-03-08 13:54 · Score: 1
  
  The year of the Linux Desktop was achieved long ago with the success of Android. In 2015 Android controlled 65% of cellular phones in the US, 70% in Europe and similar or higher numbers throughout the rest of the world. Nearly 3/4s of the world cellular devices are now Linux based.
  That success is expanding rapidly in things like Chromebooks which have been in the top 3 sales spots on Amazon for something like 3 years straight.
  Linux is here and has been for a long time now, did you miss it? Or are you trying to argue that it's not a "desktop" because it's on a phone.
Re:And to start the Admin UI you would click on th by Anonymous Coward · 2016-03-08 11:11 · Score: 0

Well the SW reminds me of a movie. Maybe it is the Mega Tron?
Snort, Fail2ban, Nagios, Wireshark, Tripwire, etc. by Freshly+Exhumed · 2016-03-08 11:28 · Score: 1

Any IT manager who uses the most compromisable OS on which to base intrusion detection and security tools needs to have hizzerher ass fired. Out of a cannon. Into the sun.
Open source tools like in the title of this post need to run on a hardened Unix/Linux platform.

--
I deny that I have not avoided attaining the opposite of that which I do not want.
R&D by ISoldat53 · 2016-03-08 12:07 · Score: 1

I know I asked this before, but, Dell has an R&D?
1. Re: R&D by Anonymous Coward · 2016-03-08 12:28 · Score: 0
  
  Correct. Dell has 1 R&D.
2. Re: R&D by Anonymous Coward · 2016-03-08 13:59 · Score: 0
  
  Correct. Dell has 1 R&D.
  Yep, the D-department in particular has a rock-solid reputation. Dell just loves the D.
3. Re:R&D by ratsg · 2016-03-08 20:38 · Score: 1
  
  I know I asked this before, but, Dell has an R&D?
  Back in the day Dell had their own Sys V Unix.
  http://virtuallyfun.supergloba...
  Now.... not so much.
Re:Snort, Fail2ban, Nagios, Wireshark, Tripwire, e by Anonymous Coward · 2016-03-08 13:24 · Score: 0

This runs on Linux.
Dude it's a cunt by Anonymous Coward · 2016-03-08 15:28 · Score: 0

Global Mother Fucking Spyware.
Re:Snort, Fail2ban, Nagios, Wireshark, Tripwire, e by Anonymous Coward · 2016-03-09 02:18 · Score: 0

My terminal switching tool, I mean my desktop OS, is still Windows simply because even companies that sell Linux based products demand a windows environment for management tools. VMWare/EMC/Dell I am looking at you.
Also, anyone that refers to NT > 5.1 as "The most compromisable OS" is spitting back dogma not real world insight. Go count the number of outstanding CVEs for Win 2012r2 Vs OSX. Still got a ppc XServe or 3 in use? Have fun with getting any support or patches on those. (Shellshock anyone?)
Not saying Windows is the greatest thing ever, but it sure as hell ain't the worst.
Re:Snort, Fail2ban, Nagios, Wireshark, Tripwire, e by Anonymous Coward · 2016-03-09 02:42 · Score: 0

Um.. Hey dumbass you may want to read the article. This is a tool to run on your existing Windows production infrastructure to find which Windows systems are currently compromised.
Requires... by Anonymous Coward · 2016-03-09 04:08 · Score: 0

Requires yet another C# agent be installed on every workstation.Windows is already slow enough, after installing antivirus software. Then you pile on all the various security, tacking filtering and management agents, GPO and the shit doesn't have enough resources to do any other work, like business.
Having to build a workstation with four or more core i7 processors, 12-16GB of RAM, SSD hard drive, and gigabit networking just to be able to reduce the boot time from a ludicrous several minutes down to a couple of minutes to then be able to fiddle with Excel spreadsheets is the state of the art? The state of the art SUCKS!
Pass on this, yet another buggy agent.
Re:And to start the Admin UI you would click on th by cant_get_a_good_nick · 2016-03-09 04:52 · Score: 1

Megatron, a.k.a. Calvin Johnson, just retired from the NFL. I guess he ran out of Energon.
Comon Dell by Anonymous Coward · 2016-03-09 05:40 · Score: 0

Great. A tool for windows that runs on Linux. It should be windows based if it's being run for windows networks.