Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Open-Source Tool Aimed At Propelling Honeypots Into the Mainstream
Newest First  |  Oldest First  |  Threaded View
Brian Kellogg
50%
50%
Brian Kellogg,
User Rank: Apprentice
9/23/2014 | 10:25:13 PM
Re: ENISA and Digital Traps via Honeypots
I have to say that I'm not sure why some say honey pots pose too much of a risk to your network.  In large enough businesses you will be forced to try and protect antiquated software with unpatched vulnerabilities until such a time the business can migrate off of that software.  Vulnerabilities will always exist and a Honey Pot will help in identifying the threats on your internal network.  I think one thing we've learned over the last few years is that we can't trust our own internal networks.  Permimeter security just isn't as important as it used to be.  Getting behind the FW/IDS or whatever is a seemingly trivial hurdle for APTs.  Honey pots are a key part of the detection/identification part of a defense in depth security program IMHO.
kd10
50%
50%
kd10,
User Rank: Apprentice
6/25/2014 | 3:24:48 AM
Honeypot as a tool to identify and find the malware
In many cases you already have infected assets inside your organization and there are not many good tools that can find these infected assets.

A good Honeypot will halp you find the infected assets. Whether you take the attacker to court or not is another subject, but first you want to protect yourself and find the infected asset.

Check www.topspinsec.com. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/22/2014 | 1:27:59 PM
Re: Honeypots: High risk, High cost.
I second this notion.  Honeypots should only be deployed in a VLAN completely segregated from all other production or for that matter non-production environments.  
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/21/2014 | 2:34:16 PM
Honeypots: High risk, High cost.
It is a very bad idea and not common practice to deploy honeypots in a production enviroment. Honeypots are great for obtaining intelligence on what types of attacks vectors are being utilized against an infrastructure by simulating vulnerabilities in a system. However, placing a honeypot on a production network can and will expose you to more risk. More risk than just attracting attention from hackers, worms, the NSA, etc. Just because the system is simulating known vulnerabilities does not mean the honeypot or system hosting the honeypot is not actually vulnerable itself. I know it's a double negative. But the fact of the matter is that honeypots CAN be compromised by REAL vulnerabilities and used against your company to aid in further attacks or breach of data.

Yes there are many opensource and free honeypots out there but keep in mind the high cost operating, maintaining, and hosting of the honeypot network. Honeypots can and will be broken. Remember, you are just asking to be attacked so in no way should this be operating within the same subnet of your ISP. Plan on paying for 2 seperate ISPs.

 
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
6/20/2014 | 3:50:17 PM
Re: Low risk , no cost
Very Good for the bottom line and in today's climate that is all that really matters.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/20/2014 | 1:07:46 PM
Low risk , no cost
This tool sounds like a perfect combination for  budget-strapped security teams!
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/20/2014 | 11:17:57 AM
Re: ENISA and Digital Traps via Honeypots
If done correctly, honeypots are a very useful tool to gather information about attackers. Malware is often left on them, this can be useful in determining how attacks will happen in the future.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/20/2014 | 7:20:26 AM
Re: ENISA and Digital Traps via Honeypots
Between 2003 and roughly 2008 honeypots were the topic of many legal arguments whether someone implementing the technology could actually be prosecuted for using it, or be sued by a hacker caught in the trap.  The debate still rages, but it was particularly hot in the early days since 9/11 was a recent event and many laws were bending and shifting.

When the FBI or a similar agency uses honeypots, it's OK (see United States v. Ivanov), but be careful if you are a private business or an everyday citizen.  After all, it can be entrapment and a violation of privacy, technically.  I'd review SANS resources for recommendations on avoiding prosecution, which include anything from proper banner setup on systems to documentation, and proving your honeypot is a closed loop, preventing hackers from jumping off from there to other systems.

In other words, when you shoot the intruder, make sure you can justify the trail of jewelry that went up your lawn and through the open door (or minimally secured) to your house... 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/20/2014 | 6:43:50 AM
Re: ENISA and Digital Traps via Honeypots
Honeypots have been around for a long time. It will be interesting to see if they indeed become a more common tool for enterprises (mainly large ones, of course). As researchers have found and demonstrated over the years, you can glean a lot of powerful information about attackers/attacks from a honeypot.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/19/2014 | 11:54:50 PM
ENISA and Digital Traps via Honeypots
A couple years ago ENISA had a great report about how to use honeypots as digital traps for cyber criminals.

The Executive Director of ENISA Professor Udo Helmbrecht commented:

"Honeypots offer a powerful tool for CERTs to gather threat intelligence without any impact on the production infrastructure. Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT's constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics. Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies' assets."

I like how they think...


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2020-6568
PUBLISHED: 2020-09-21
Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.