Honeypots have been used in information security for decades to catch cyber attackers or malicious actors attempting to gain unauthorised access to a company network. The principle is incredibly simple: rather than trying to hunt attackers outright, IT teams can prepare an enticing area within the network and wait for the bad actors to come to them. In today's world of skilled and persistent attackers, honeypots can be a key tool to solving a difficult problem: how to detect an advanced attacker on a busy network?
Once in a network, modern attackers hide in the noise and by mimicking normal user behaviour, stealing and abusing credentials, for example. They are increasingly hard to detect. With honeypots, organisations create something that appears to be a legitimate asset, so any attempt to access it is instantly suspicious. Rather than trying to swat the fly from afar, it gets itself trapped in the sticky honeypot.
Honeypots for research
Researchers have been making effective use of honeypots. By creating fake computers, fake services or fake people, it is possible to see what kind of malicious activity is occurring on the internet. Particularly interesting examples of honeypot research include Kippo, which pretends to be a service and lets an attacker in after a number of password attempts in order to study what attackers do once on a system. Trend Micro created a number of SCADA/ICS honeypots that appeared to be industrial networks and found that attackers quickly compromised these services, with ominous implications for people running real internet-connected SCADA systems.
> See also: Cybercrime: the scourge of the digital economy
Using honeypots gives researchers deeper insight into what hackers are looking for, attempting to do and compromise within a corporate network. The research can then be used to help companies focus their defensive efforts.
Honeypots in business
Business use of honeypots is often limited. Where businesses use honeypots as part of their defences, they typically rely on traditional honeypots, i.e. a non-existent computer on the network or perhaps an entire network range, and then alert on any attempt to connect to the computer or range.
This can be effective, for instance by identifying an attacker who has gained access to the internal network and is port-scanning the entire range. However, many advanced attackers do not resort to 'noisy' techniques such as port scanning once on the internal network, they instead often rely on subtle lateral movement such as obtaining network maps and connecting directly to servers of interest. To catch such advanced attackers requires more sophisticated honeypots.
Attackers will often attempt to obtain administrative credentials to aid their movement around networks. They can do this by a number of means, from password-guessing attacks against administrative accounts, to more advanced attacks that allow them to carry out actions with the permissions of anyone using the computer they are accessing. Organisations can therefore create 'honeytokens', which are administrative accounts where an attempt to use the account alerts security staff to the presence of an attacker.
Any important asset that organisations fear an attacker may compromise as either a step towards their goal or as the goal itself can be the basis for a honeypot. Successful honeypots include fake files that an attacker might try to access, with attempted access to those files triggering an alert. Organisations have found that fake file servers that might lure an attacker, such as one described in network diagrams as 'Backup Fileshare' can also be successful.
A controversial form of honeypot is the creation of a fake person of interest. More targeted attackers will identify key individuals in an organisation and then target them directly with spear phishing emails. Once in a network, many attacking groups will attempt to steal the inboxes of people they consider important.
By creating a fake email account, it may be possible to gather intelligence relating to the malware being sent against real, high value employees. More importantly, any attempt to access the honeypot email account will alert the security team to the presence of an attacker stealing inbox contents.
However, there are some points to be careful of when using honeypots. Firstly, they can require time and resource to implement, both of which may already be limited in the organisation. Honeypots can also take time to integrate into the organisation's alerting infrastructure.
> See also: CIO survival tips in a zero trust environment
Certain types of honeypot, such as file and fileshares, can often be visited by curious employees and it can only take a small number of such benign triggers for the alert to lose its value in the eyes of the security team. The creation of email accounts or people can be difficult, particularly if that person is listed externally as there could be regulatory issues from publically listing a fake high value employee, which would be necessary for the effectiveness of the honeypot.
Five tips for a successful honeypot:
Base the honeypot on a real asset you’re concerned might be compromised
Reference the honeypot anywhere you reference real assets
Make sure honeypots are known to only those few running them
Have a process for rapidly investigating alerts generated by the honeypot
Have a process for investigating real assets should honeypot alerts indicate an attacker
Honeypots can be a highly effective and efficient way of alerting security teams to attackers, even those who are more advanced. However, to be effective requires the honeypot to be well implemented, maintained, and monitored.
Sourced from David Chismon, senior researcher at MWR InfoSecurity