Although honeypots have been used for many a year, they have not - until recently - been a big part of information security strategy. With advanced attacks proliferating throughout the mainstream these days, security practitioners need to employ every tool, tactic, or process they can to bolster their information security posture.
While honeypots started out as devices to help detect bad guys on the perimeter, or for data collection and cybersecurity research, there is now a focus on creating honeypots inside the network to help identify attackers. Add in next-generation endpoint monitoring capabilities, and organizations are now better able to catch cyber criminals in the act, gain insight into their skillset, and stop them in their tracks. As the landscape has changed and the information security mentality revolves around the assumption that everyone is breached, what are you using to help find attackers and frustrate your foes?
Using a honeypot at the network perimeter to broadcast a vulnerable service and tasty-looking information is a great way to distract attackers from your crown jewels, monitor their activity, and devise new defenses for your data. The problem nowadays is that the cyber criminals of today aim less at your perimeter and go straight to the heart of your organization: the users. As such, the attacker is much more apt to enter your environment via malware or some social engineering ploy, circumventing your information security controls. While the perimeter honeypot still has its place in cybersecurity research, and in perimeter detection, it is giving way to the internal honeypot.
Internal honeypots will sit in production zones, configured much like other servers in the zone, albeit more vulnerable. The purpose of the internal honeypot is to entice attackers to, well, attack. If a system gets infected inside your environment and an attacker can pivot, this system will show up as a beacon for them. Once the attacker gains access to the server, which should be relatively easy for them, the information security operations team can track trends in attack methods, exploited vulnerabilities, and affected network zones. While having perimeter or internal honeypots seems like a novel idea, especially when the general assumption is that we’ve already been compromised, deploying these honeypots can present a different set of problems.
When it comes to deploying internal or perimeter honeypots, there can be setbacks aplenty. Getting buy-in to deploy honeypots, as well as dedicated resources from infrastructure teams can be painful. After a honeypot is deployed, the next step is to get alerts from the system. This can also take some time, as custom rules may need to be created on a SIEM or other log management and analysis system. While honeypots have generally been created from fake systems or services located on a production system, it is possible to simplify honeypot deployment with the use of endpoint monitoring and some well placed files.
An efficient, effective cybersecurity arsenal combined with a few dummy files may reduce the need for a dedicated honeypot. You can simplify things by creating a tantalizing - yet wholly fake - file in each of your file shares (or create fake file shares), monitor the files or shares via rules and/or policies in your endpoint monitoring solution, and alert on any attempts to read, write, or delete the dummy file. If you have a compromised system, data exfiltration is the logical next step, so the attackers will start looking for juicy files that may provide valuable information. By watching the honeypot files you reduce the scope of your monitoring efforts, and don’t need to count on the attacker being resourceful enough to hack into a system; they simply need to attempt to access a file.
Using, for example, a UEBA solution to ensure visibility of activities around sensitive data will provide valuable information to your security team with minimal effort. This methodology makes the dream of a single pane of glass just a little more real.
One of the major pitfalls to avoid when deploying a honeypot of any type is making it stick out like a sore thumb; you want the attacker to be enticed, not incredulous. Here are some steps to help keep your honeypot inconspicuous:
Honeypots are currently a growing trend in information security and may be the next big thing in cyber defense. Follow the above tips and you can have a stealthy and effective honeypot platform added to your cybersecurity arsenal!
And if you want to further enhance your threat detection knowledge grab our Insider Threat toolkit today.