Vulnerabilities / Threats
10/1/2013
05:05 PM
50%
50%

5 Reasons Every Company Should Have A Honeypot

A staple of the computer-security toolbox for more than two decades, honeypots can provide companies with unique benefits

In January 1991, a group of Dutch hackers attempted to break into a system at Bell Labs, only to be directed into a digital sandbox administered by one of the research groups at AT&T. In an account of the five-month incident involving one of the first computer honeypots, Bill Cheswick echoed a complaint of the systems frequently made since the incident: "How much effort was this jerk worth? It was fun to lead him on, but what's the point?"

Yet, increasingly, companies are seeing a point. Businesses are deploying honeypots focused specifically on alerting defenders to an attacker's presence. Such systems tend to have a low false positive rate, can detect both insiders and external hackers and, best of all, should require little maintenance after setting up.

"If we look at the next generation of attacks, attackers are using less and less malware, they just find valid credentials online," says John Strand, a pentester with consultancy Black Hills Information Security and an author of the book, Offensive Countermeasures: The Art of Active Defense. "They simply just log in and they can walk in the front door as a legitimate user."

To detect such breaches, companies can use sophisticated anomaly detection or simply stand up some simple servers that should never be accessed. Those honeypots can alert the security team when someone is poking around where they should not, he says.

While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.

1. Low false positives, high success
Every attacker worth their salt first tests their malware against the popular known security measures out there. Just by checking whether their program dodges detection by Symantec's and McAfee's anti-malware scanners, attackers have fooled systems that more than 80 percent of companies rely on, says Black Hill's Strand.

"A lot of traditional defensive technologies don't have a lot of value against advanced attackers, because the bad guys have the means and the resources to ensure that their attack is going to work," he says.

Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.

2. Able to confuse attackers
Honeypots can also be used to slow down the attackers who successfully get into a company's network. Using a virtual system, a company can create a variety of decoys that can distract the attackers and cause them to take more time to find the valuable data.

"Decoys are all about moving the threat from the real assets to the fake one, at the same time alerting you to the threats," says Michael Davis, chief technology officer for CounterTack, a security firm that recommends more active defenses.

[A combination of traditional network security monitoring and recent advancements in honeypot and active defense tools is key to detecting today's threats. See Tech Insight: Time To Set Up That Honeypot.]

Another approach is to use honey tokens, fake data seeded within database records that should not otherwise be accessed, he says. By placing rules in the firewalls to alert on the unique data, a company can detect whenever a user or hacker downloads the information.

3. Only a time sink, if you allow it
Companies can deploy one of two types of honeypots. The first is a research honeypot--an instrumented virtual system that hosts a vulnerable operating system and is put on a network accessible to the Internet. The problem with research honeypots is that they require a lot of time to set up, watch for threats and then analyze the resulting compromise. While companies can learn a lot about attackers from such systems, they typically require too much time to be of use in an enterprise whose business is anything other than security.

"Research honeypots tend to be the tool of choice for university students to observe attacker behavior," Strand says. "That's neat but for the rest of us, we have real compromises to take care of."

Production honeypots, on the other hand, are systems that emulate something of business value to the company. They can be a Web server, workstation, database or just a document. They are low-interaction systems, which mean that the security team just sets them up and then can worry about other things until a user interacting with the honeypot sets off an alert.

4. Help train your security team
With technical security professionals still in short supply, honeypots can also be used a essential training tools, says CounterTack's Davis. By using honeypots to watch the attackers actions, the defenders can learn about the latest techniques.

"A lot of security teams, when they start deploying honeypots, they really start understanding how these attackers work," he says. "They see the steps the attackers takes, but also figure out how to stop the intermediary steps in their own network."

5. Many free options
Finally, there are a lot of free option for companies to get started with honeypots. At the Black Hat Security Briefings in Las Vegas, Strand and three colleagues released a collection of active defense tools, wrapped in a single Linux ISO distribution dubbed the Active Defense Harbinger Distribution (ADHD).

For those who prefer Windows, KFSensor is a popular honeypot systems based on that operating system.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/3/2013 | 7:46:44 PM
re: 5 Reasons Every Company Should Have A Honeypot
Great article and advice. There is no question, honeypots are a valuable way to gain insight into today's attack/threat landscape. However they should only be part of the biggest strategy to truly guard the organization and its assets. A complete UTM approach needs to be multipronged including education and tools.

Peter Fretty, IDG blogger working on behalf of Sophos
Michael A. Davis
50%
50%
Michael A. Davis,
User Rank: Apprentice
10/2/2013 | 3:47:06 PM
re: 5 Reasons Every Company Should Have A Honeypot
jeremyarthur, maybe. It depends on the level of interaction you want with the honeypots. Some open source honeypot software is very low interaction and requires almost no management but your ROI will be less. These are usually application specific honeypots.

The more interaction, the more management.

Before deploying figure out what use cases you want to detect or analyze and adjust the plan accordingly.
jeremyarthur
50%
50%
jeremyarthur,
User Rank: Apprentice
10/2/2013 | 2:40:51 PM
re: 5 Reasons Every Company Should Have A Honeypot
The only problem I see is $$$ do not grown on trees. honeypots are not systems you just tern on and forget you need the staff to monitor the honeypot and not all company's have the staff to do this.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.