[BreachExchange] The Cybersecurity Honeypot: What You Need to Know

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 19 18:01:10 EDT 2018


https://solutionsreview.com/security-information-event-
management/cybersecurity-honeypot-need-know/


I do hope you’ll pardon this little touch of nerdiness as I explain the
concept:

In the world of role-playing game Dungeons and Dragons, there is a
well-known monster known as the Mimic. The Mimic, at first glance, looks
like an ordinary treasure chest—much like one your adventuring party may
have opened earlier that day. However, if anyone falls for the trick and
attempts to open the Mimic chest, they’re greeted by a savage attack via a
prehensile tongue and rows upon rows of razor-sharp teeth.  These monsters
are considered a staple trap in dungeon design, perfect for attracting the
greedy and unobservant thief.

Being in charge of your enterprise’s IT security may not feel as
fantastical as being in charge of a magical dungeon, but the principles are
actually the same: you have treasure (databases) you want to protect and
select traps (cybersecurity) to protect it. Topping off the comparison,
endpoint security, intrusion detection services (IDS), and SIEM solutions
actually do have their own Mimic-like tool: the honeypot.

What is the Honeypot?

Much like the mimic, the honeypot is a decoy with a compelling lure for the
greedy and unobservant hacker: it’s designed to look like a functioning
replica of your enterprise’s servers and databases. But while the data
within the honeypot looks real, it’s actually completely isolated from the
real server and can be closely monitored by your IT security team.

The titular “honey” of the honeypot is that this fake server has much
weaker security protocols than your actual network. For example, the
passwords to gain access to the honeypot network may be childishly simple.
This will entice hackers looking for an easy score, deceiving them into
taking the easy route instead of the much harder route to the actual
network. Thus the trap is sprung.

Cybersecurity analysts can use the hacker’s behavior on the decoy servers
to detect threats preemptively and discover the security holes that allowed
them access. With this knowledge, your IT security team can deflect both
the current attack and fortify the means to deflect future attacks.

There are actually two kinds of honeypot: the research honeypot and the
production honeypot.

The research honeypot is designed to perform close analysis on hackers’
behaviors, learning their infiltration tactics and threat progression. This
provides cybersecurity analysts the data to design better cybersecurity
protections in the future. The honeypot’s data can also help them track
stolen data through normally unseen channels and discover malicious network
connections.

The production honeypot is the fully-fledged network decoy, complete with
fake data caches to distract hackers. It provides security teams the time
to find the threat, mitigate it before it reaches the real network, and
record evidence for future prosecution.

How Does the Honeypot Work With Other Solutions?

A honeypot is a detection tool rather than a preventative solution; it
works best when paired with endpoint security, an introduction detection
system, and/or SIEM. The honeypot can gather threat information that by
default has slipped past traditional preventative solutions—signatureless
malware, fileless malware, and zero-day attacks. It can also help SIEM
solutions’ logging capabilities for more comprehensive investigations and
more accurate alerts.

The latter is especially important: a properly designed honeypot will only
be found by a malicious threat actor rather than a legitimate user.
Therefore, an SIEM solution with a honeypot can distinguish between a false
positive and a real threat far more easily than a solution without one.

High-Interaction or Low?

You can deploy either a high-interaction or a low-interaction honeypot on
your network. The latter may not be the most sophisticated of decoys, but
they are easier to deploy and manage. The former, because it is a
near-perfect replication of your real network, can give your IT security
team much more accurate data on how a threat unfolds and how a hacker
behaves. However, it requires more time and energy to deploy properly. You
will need to examine your resources carefully and deploy the proper decoy
for your enterprise.

What are the Drawbacks to the Honeypot?

Unlike the Mimic, honeypots generally don’t have teeth to actually remove a
detected threat—hence its needs other solutions to support it. If you do
configure your honeypot to strike back against attackers, know that
liability issues surrounding counterattacks from honeypots is a murky area
of the law. You may end up in more trouble than your hacker.

Decoys that encourage hackers to access the root access of the
endpoint—which can provide analysts with extremely valuable data—can easily
backfire if it accidentally allows the hacker into the network proper. Make
sure you have the right configuration and that it is monitored for any
loopholes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180419/0c23c59b/attachment.html>


More information about the BreachExchange mailing list