The honeypot is best known as a spy fiction concept. Generally, the term refers to an alluring agent whose job is to draw the attention of the target. Honeypots are also a tactic used in cybersecurity, and though the details are less sensational, the idea is essentially the same.
In most cases, hackers are looking for low-hanging fruit — essentially, cyber assets with the highest value and weakest security. Honeypots are designed to look like prime targets; they are intentionally coded to be easy to breach so that cybercriminals will attack the honeypot rather than something else inside the information technology infrastructure. What the hackers don’t know, however, is that honeypots are just decoys that look good from a distance but don’t contain anything of value.
A recent survey conducted by the Neustar International Security Council shows that 72% of respondents either already use or are willing to use honeypots or similar technologies, and it’s not hard to see why: When hackers spend all of their energy attacking worthless targets, companies are spared the worst consequences of cyberattacks. A research honeypot can also serve forensic purposes, quietly gathering data about the hackers who stole it.
While honeypots shouldn’t serve as the centerpiece of a cybersecurity strategy, they should be considered a crucial component of one.
Who Should Use Honeypots, And How?
Most companies can benefit from honeypots. Realistically, the only companies that can’t are those with ironclad cybersecurity that guarantees hackers can’t get past the defensive perimeter. Few, if any, organizations in the world have security so consistent, meaning that everyone should consider using honeypots.
The question then becomes this: What kind of honeypot should you use? In many cases, an off-the-shelf solution will work fine for companies with relatively straightforward IT infrastructures. These solutions can also be used to lure in a specific type of attack — especially the kind that a cybersecurity strategy doesn’t often catch. However, companies with complex IT infrastructures — systems that are vulnerable to a range of attacks — are better off outsourcing custom honeypot development.
Regardless of the source, companies must choose between low- and high-interaction honeypots. Low-interaction options sit at the router or gateway level and exist to lure in attacks and isolate the resulting damage, essentially taking one for the team. High-interaction honeypots take longer for hackers to identify as fake. While the ruse is still intact, the honeypot collects data about the hacker’s attack strategy that can be studied to predict and defend against future attacks.
Not surprisingly, cybersecurity companies and antivirus providers are the biggest users of honeypots, but technology is useful in other industries, too. In retail, where credit card numbers are at high risk, a honeypot full of fake card numbers means successful attacks are basically inconsequential. Other industries that deal with sensitive data in high volumes (especially government, financial services, and healthcare) can all benefit from hiding a decoy inside the data.
The Do’s and Don’ts of Honeypot Use
In a moment, I’ll share my company’s own experience with honeypots. But the do’s and don’ts are just as important. Consider the following:
* Do: Incorporate various tools to assess the activities that the honeypot monitors. For example, if it’s the honeypot intended to run the malware, use various antiviruses and firewalls to detect malicious activities.
* Do: Use machine learning and next-generation approaches to analyze the monitored activities instead of creating heuristics. There are no simple algorithms to analyze the data from multiple sources such as file activity, network interactions, process and thread creation events, and so on.
* Don’t: Create a high-interaction honeypot in which an attacker may execute something in the actual operating system. A honeypot must be the controllable environment in order to be safe; otherwise, the attacker may compromise OS and get access to the infrastructure or destroy it.
* Don’t: Expect speed and scalability from the high-interaction honeypots; a reliable environment for the multivector threats requires a lot of resources.
* Don’t: Use simple rules to whitelist the normal activities in the system. Even though this approach seems intuitive and straightforward, it takes around a month to increase the rules list by several hundred items, yet the new activities will still show up.
My Experience Developing A Honeypot
The concept of honeypots is simple, but the execution is more complex — and I discovered this when my company built one of its own.
Our goal was to develop a honeypot that could attract strains of malware and then collect information about how those specific strains attempted to harvest data. It was less about protecting assets and more about studying threats. We’d never built a honeypot before, so we needed to explore the resources it required for the kinds of malware we wanted to study.
We performed a fair amount of trial and error, but we eventually decided on a web-crawler server that scoured the web for suspicious links combined with a honeypot computer with monitoring software installed. The honeypot was directed to access the suspicious links. The monitoring software would then record any changes made to the browser (the ill effects of the malware) and send that information to a security analyst.
Our honeypot was active for about 18 months. Eventually, we concluded that a web crawler wasn’t the ideal tool, as it resulted in many links that required testing, meaning the honeypots would have to run on 1,000 different computers to be effective.
Our methods needed improvement, but even with a flawed approach, it was clear that honeypots could play an important role in a proactive cybersecurity strategy. In the end, it’s safe to assume honeypots are effective against cyberattacks and certainly worth considering when you’re looking to strengthen your cybersecurity measures.