I do hope you’ll pardon this little touch of nerdiness as I explain the concept:
In the world of role-playing game Dungeons and Dragons, there is a well-known monster known as the Mimic. The Mimic, at first glance, looks like an ordinary treasure chest—much like one your adventuring party may have opened earlier that day. However, if anyone falls for the trick and attempts to open the Mimic chest, they’re greeted by a savage attack via a prehensile tongue and rows upon rows of razor-sharp teeth. These monsters are considered a staple trap in dungeon design, perfect for attracting the greedy and unobservant thief.
Being in charge of your enterprise’s IT security may not feel as fantastical as being in charge of a magical dungeon, but the principles are actually the same: you have treasure (databases) you want to protect and select traps (cybersecurity) to protect it. Topping off the comparison, endpoint security, intrusion detection services (IDS), and SIEM solutions actually do have their own Mimic-like tool: the honeypot.
What is the Honeypot?
Much like the mimic, the honeypot is a decoy with a compelling lure for the greedy and unobservant hacker: it’s designed to look like a functioning replica of your enterprise’s servers and databases. But while the data within the honeypot looks real, it’s actually completely isolated from the real server and can be closely monitored by your IT security team.
The titular “honey” of the honeypot is that this fake server has much weaker security protocols than your actual network. For example, the passwords to gain access to the honeypot network may be childishly simple. This will entice hackers looking for an easy score, deceiving them into taking the easy route instead of the much harder route to the actual network. Thus the trap is sprung.
Cybersecurity analysts can use the hacker’s behavior on the decoy servers to detect threats preemptively and discover the security holes that allowed them access. With this knowledge, your IT security team can deflect both the current attack and fortify the means to deflect future attacks.
There are actually two kinds of honeypot: the research honeypot and the production honeypot.
The research honeypot is designed to perform close analysis on hackers’ behaviors, learning their infiltration tactics and threat progression. This provides cybersecurity analysts the data to design better cybersecurity protections in the future. The honeypot’s data can also help them track stolen data through normally unseen channels and discover malicious network connections.
The production honeypot is the fully-fledged network decoy, complete with fake data caches to distract hackers. It provides security teams the time to find the threat, mitigate it before it reaches the real network, and record evidence for future prosecution.
How Does the Honeypot Work With Other Solutions?
A honeypot is a detection tool rather than a preventative solution; it works best when paired with endpoint security, an introduction detection system, and/or SIEM. The honeypot can gather threat information that by default has slipped past traditional preventative solutions—signatureless malware, fileless malware, and zero-day attacks. It can also help SIEM solutions’ logging capabilities for more comprehensive investigations and more accurate alerts.
The latter is especially important: a properly designed honeypot will only be found by a malicious threat actor rather than a legitimate user. Therefore, an SIEM solution with a honeypot can distinguish between a false positive and a real threat far more easily than a solution without one.
High-Interaction or Low?
You can deploy either a high-interaction or a low-interaction honeypot on your network. The latter may not be the most sophisticated of decoys, but they are easier to deploy and manage. The former, because it is a near-perfect replication of your real network, can give your IT security team much more accurate data on how a threat unfolds and how a hacker behaves. However, it requires more time and energy to deploy properly. You will need to examine your resources carefully and deploy the proper decoy for your enterprise.
What are the Drawbacks to the Honeypot?
Unlike the Mimic, honeypots generally don’t have teeth to actually remove a detected threat—hence its needs other solutions to support it. If you do configure your honeypot to strike back against attackers, know that liability issues surrounding counterattacks from honeypots is a murky area of the law. You may end up in more trouble than your hacker.
Decoys that encourage hackers to access the root access of the endpoint—which can provide analysts with extremely valuable data—can easily backfire if it accidentally allows the hacker into the network proper. Make sure you have the right configuration and that it is monitored for any loopholes.
Latest posts by Ben Canner (see all)
- Trend Micro Study Shows Cloud Misconfiguration as Major Threat - April 8, 2020
- Major Security Monitoring Challenges for Remote Workforces - April 7, 2020
- A Conversation with Travis Knapp-Prasek of NCC Group on Phishing Attacks - April 2, 2020