Vulnerabilities / Threats
10/1/2013
05:05 PM
Connect Directly
RSS
E-Mail
50%
50%

5 Reasons Every Company Should Have A Honeypot

A staple of the computer-security toolbox for more than two decades, honeypots can provide companies with unique benefits

In January 1991, a group of Dutch hackers attempted to break into a system at Bell Labs, only to be directed into a digital sandbox administered by one of the research groups at AT&T. In an account of the five-month incident involving one of the first computer honeypots, Bill Cheswick echoed a complaint of the systems frequently made since the incident: "How much effort was this jerk worth? It was fun to lead him on, but what's the point?"

Yet, increasingly, companies are seeing a point. Businesses are deploying honeypots focused specifically on alerting defenders to an attacker's presence. Such systems tend to have a low false positive rate, can detect both insiders and external hackers and, best of all, should require little maintenance after setting up.

"If we look at the next generation of attacks, attackers are using less and less malware, they just find valid credentials online," says John Strand, a pentester with consultancy Black Hills Information Security and an author of the book, Offensive Countermeasures: The Art of Active Defense. "They simply just log in and they can walk in the front door as a legitimate user."

To detect such breaches, companies can use sophisticated anomaly detection or simply stand up some simple servers that should never be accessed. Those honeypots can alert the security team when someone is poking around where they should not, he says.

While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.

1. Low false positives, high success
Every attacker worth their salt first tests their malware against the popular known security measures out there. Just by checking whether their program dodges detection by Symantec's and McAfee's anti-malware scanners, attackers have fooled systems that more than 80 percent of companies rely on, says Black Hill's Strand.

"A lot of traditional defensive technologies don't have a lot of value against advanced attackers, because the bad guys have the means and the resources to ensure that their attack is going to work," he says.

Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.

2. Able to confuse attackers
Honeypots can also be used to slow down the attackers who successfully get into a company's network. Using a virtual system, a company can create a variety of decoys that can distract the attackers and cause them to take more time to find the valuable data.

"Decoys are all about moving the threat from the real assets to the fake one, at the same time alerting you to the threats," says Michael Davis, chief technology officer for CounterTack, a security firm that recommends more active defenses.

[A combination of traditional network security monitoring and recent advancements in honeypot and active defense tools is key to detecting today's threats. See Tech Insight: Time To Set Up That Honeypot.]

Another approach is to use honey tokens, fake data seeded within database records that should not otherwise be accessed, he says. By placing rules in the firewalls to alert on the unique data, a company can detect whenever a user or hacker downloads the information.

3. Only a time sink, if you allow it
Companies can deploy one of two types of honeypots. The first is a research honeypot--an instrumented virtual system that hosts a vulnerable operating system and is put on a network accessible to the Internet. The problem with research honeypots is that they require a lot of time to set up, watch for threats and then analyze the resulting compromise. While companies can learn a lot about attackers from such systems, they typically require too much time to be of use in an enterprise whose business is anything other than security.

"Research honeypots tend to be the tool of choice for university students to observe attacker behavior," Strand says. "That's neat but for the rest of us, we have real compromises to take care of."

Production honeypots, on the other hand, are systems that emulate something of business value to the company. They can be a Web server, workstation, database or just a document. They are low-interaction systems, which mean that the security team just sets them up and then can worry about other things until a user interacting with the honeypot sets off an alert.

4. Help train your security team
With technical security professionals still in short supply, honeypots can also be used a essential training tools, says CounterTack's Davis. By using honeypots to watch the attackers actions, the defenders can learn about the latest techniques.

"A lot of security teams, when they start deploying honeypots, they really start understanding how these attackers work," he says. "They see the steps the attackers takes, but also figure out how to stop the intermediary steps in their own network."

5. Many free options
Finally, there are a lot of free option for companies to get started with honeypots. At the Black Hat Security Briefings in Las Vegas, Strand and three colleagues released a collection of active defense tools, wrapped in a single Linux ISO distribution dubbed the Active Defense Harbinger Distribution (ADHD).

For those who prefer Windows, KFSensor is a popular honeypot systems based on that operating system.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/3/2013 | 7:46:44 PM
re: 5 Reasons Every Company Should Have A Honeypot
Great article and advice. There is no question, honeypots are a valuable way to gain insight into today's attack/threat landscape. However they should only be part of the biggest strategy to truly guard the organization and its assets. A complete UTM approach needs to be multipronged including education and tools.

Peter Fretty, IDG blogger working on behalf of Sophos
Michael A. Davis
50%
50%
Michael A. Davis,
User Rank: Apprentice
10/2/2013 | 3:47:06 PM
re: 5 Reasons Every Company Should Have A Honeypot
jeremyarthur, maybe. It depends on the level of interaction you want with the honeypots. Some open source honeypot software is very low interaction and requires almost no management but your ROI will be less. These are usually application specific honeypots.

The more interaction, the more management.

Before deploying figure out what use cases you want to detect or analyze and adjust the plan accordingly.
jeremyarthur
50%
50%
jeremyarthur,
User Rank: Apprentice
10/2/2013 | 2:40:51 PM
re: 5 Reasons Every Company Should Have A Honeypot
The only problem I see is $$$ do not grown on trees. honeypots are not systems you just tern on and forget you need the staff to monitor the honeypot and not all company's have the staff to do this.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.