Vulnerabilities / Threats
10/1/2013
05:05 PM
Connect Directly
RSS
E-Mail
50%
50%

5 Reasons Every Company Should Have A Honeypot

A staple of the computer-security toolbox for more than two decades, honeypots can provide companies with unique benefits

In January 1991, a group of Dutch hackers attempted to break into a system at Bell Labs, only to be directed into a digital sandbox administered by one of the research groups at AT&T. In an account of the five-month incident involving one of the first computer honeypots, Bill Cheswick echoed a complaint of the systems frequently made since the incident: "How much effort was this jerk worth? It was fun to lead him on, but what's the point?"

Yet, increasingly, companies are seeing a point. Businesses are deploying honeypots focused specifically on alerting defenders to an attacker's presence. Such systems tend to have a low false positive rate, can detect both insiders and external hackers and, best of all, should require little maintenance after setting up.

"If we look at the next generation of attacks, attackers are using less and less malware, they just find valid credentials online," says John Strand, a pentester with consultancy Black Hills Information Security and an author of the book, Offensive Countermeasures: The Art of Active Defense. "They simply just log in and they can walk in the front door as a legitimate user."

To detect such breaches, companies can use sophisticated anomaly detection or simply stand up some simple servers that should never be accessed. Those honeypots can alert the security team when someone is poking around where they should not, he says.

While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.

1. Low false positives, high success
Every attacker worth their salt first tests their malware against the popular known security measures out there. Just by checking whether their program dodges detection by Symantec's and McAfee's anti-malware scanners, attackers have fooled systems that more than 80 percent of companies rely on, says Black Hill's Strand.

"A lot of traditional defensive technologies don't have a lot of value against advanced attackers, because the bad guys have the means and the resources to ensure that their attack is going to work," he says.

Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.

2. Able to confuse attackers
Honeypots can also be used to slow down the attackers who successfully get into a company's network. Using a virtual system, a company can create a variety of decoys that can distract the attackers and cause them to take more time to find the valuable data.

"Decoys are all about moving the threat from the real assets to the fake one, at the same time alerting you to the threats," says Michael Davis, chief technology officer for CounterTack, a security firm that recommends more active defenses.

[A combination of traditional network security monitoring and recent advancements in honeypot and active defense tools is key to detecting today's threats. See Tech Insight: Time To Set Up That Honeypot.]

Another approach is to use honey tokens, fake data seeded within database records that should not otherwise be accessed, he says. By placing rules in the firewalls to alert on the unique data, a company can detect whenever a user or hacker downloads the information.

3. Only a time sink, if you allow it
Companies can deploy one of two types of honeypots. The first is a research honeypot--an instrumented virtual system that hosts a vulnerable operating system and is put on a network accessible to the Internet. The problem with research honeypots is that they require a lot of time to set up, watch for threats and then analyze the resulting compromise. While companies can learn a lot about attackers from such systems, they typically require too much time to be of use in an enterprise whose business is anything other than security.

"Research honeypots tend to be the tool of choice for university students to observe attacker behavior," Strand says. "That's neat but for the rest of us, we have real compromises to take care of."

Production honeypots, on the other hand, are systems that emulate something of business value to the company. They can be a Web server, workstation, database or just a document. They are low-interaction systems, which mean that the security team just sets them up and then can worry about other things until a user interacting with the honeypot sets off an alert.

4. Help train your security team
With technical security professionals still in short supply, honeypots can also be used a essential training tools, says CounterTack's Davis. By using honeypots to watch the attackers actions, the defenders can learn about the latest techniques.

"A lot of security teams, when they start deploying honeypots, they really start understanding how these attackers work," he says. "They see the steps the attackers takes, but also figure out how to stop the intermediary steps in their own network."

5. Many free options
Finally, there are a lot of free option for companies to get started with honeypots. At the Black Hat Security Briefings in Las Vegas, Strand and three colleagues released a collection of active defense tools, wrapped in a single Linux ISO distribution dubbed the Active Defense Harbinger Distribution (ADHD).

For those who prefer Windows, KFSensor is a popular honeypot systems based on that operating system.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/3/2013 | 7:46:44 PM
re: 5 Reasons Every Company Should Have A Honeypot
Great article and advice. There is no question, honeypots are a valuable way to gain insight into today's attack/threat landscape. However they should only be part of the biggest strategy to truly guard the organization and its assets. A complete UTM approach needs to be multipronged including education and tools.

Peter Fretty, IDG blogger working on behalf of Sophos
Michael A. Davis
50%
50%
Michael A. Davis,
User Rank: Apprentice
10/2/2013 | 3:47:06 PM
re: 5 Reasons Every Company Should Have A Honeypot
jeremyarthur, maybe. It depends on the level of interaction you want with the honeypots. Some open source honeypot software is very low interaction and requires almost no management but your ROI will be less. These are usually application specific honeypots.

The more interaction, the more management.

Before deploying figure out what use cases you want to detect or analyze and adjust the plan accordingly.
jeremyarthur
50%
50%
jeremyarthur,
User Rank: Apprentice
10/2/2013 | 2:40:51 PM
re: 5 Reasons Every Company Should Have A Honeypot
The only problem I see is $$$ do not grown on trees. honeypots are not systems you just tern on and forget you need the staff to monitor the honeypot and not all company's have the staff to do this.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.