While they've long been a darling of researchers and law enforcement, honeypots are still trying to prove their case for wider enterprise deployment.
And it remains a bit of a hard-sell.
These "lures" that pose as legitimate network nodes are heavy on attacker- and attack data. But they don't do anything to actually stop an attack, plus they can attract unwanted attention to your network. But some security experts say elements of honeypot technology can be used as an extra layer in the enterprise security arsenal, especially for protecting against insider threats or other malicious internal activity.
"Right now, we're on the edge of someone picking up this technology and running forward with it for better security for enterprise installations," says Ralph Logan, principal with The Logan Group and vice president of the Honeynet Project. "It's a great alarm system -- there are no false positives with honeypots. If a packet touches it, something is suspect."
Honeypots have long been used in research networks, federal government agencies (especially the Department of Defense), and law enforcement for tracking potential attacks, attackers, or perpetrators. And security product vendors, especially in the antivirus and IPS sectors, widely use honeypots to keep tabs on attacks in the wild.
On the commercial side, it's mostly large financial institutions that run honeypots, says Logan Group's Logan, and most don't want to discuss their honeypots for fear of being targeted.
So should enterprises consider honeypot technology as another weapon in the security arsenal, or does arming yourself with a honeypot merely invite trouble?
Critics say honeypots have a place in research and in the military, for instance, but not in the enterprise. "Honeypots don't do anything to protect your net, and that's all that dot-com America cares about," says Lance Spitzner, president and founder of the Honeynet Project. But if an organization needs specific information to track a potential security problem, he says, then they might make sense.
One such application would be for detecting an internal user's suspicious activity on the network, or if an outsider was poking around the network from the inside, says Logan. "Most times attackers will use an [enterprise's] server or end-user PC to further explore the enterprise, so you could have an employee unwittingly being used."
But once you put up that sexy honeypot and attackers start buzzing around, you've exposed yourself, critics say. Thomas Ptacek, a researcher with Matasano Security, says honeypots not only invite trouble, but they also generate operational overhead that most organizations don't have the manpower to handle. "They generate the same kind of information that IDSes do, and enterprises have a terrible enough time keeping up with that kind of information," Ptacek says.
And just knowing you are under attack isn't very useful, he says, and in most cases, the attacks are the same old ones -- nothing novel or undiscovered, he says. "There aren't a lot of vulnerabilities that are traced back to honeypots."
But an even scarier prospect is the fallout from luring attackers to a honeypot, he says. "If an incident occurs, and it causes you a real operational problem, you've implicated yourself," Ptacek says. "How do you know the honeypot didn't contribute to that?"
Still, if you want to roll your own honeypot for the edge or internal use, you can use freeware from the Honeynet Project. There aren't any commercial honeypot products per se, but some IPSes, NAC products, and even AV software use the technology under the covers. Arbor Networks has a "dark IP" monitoring feature that uses unused IP addresses within an organization for the honeypot machines, so it's obvious when an attacker is knocking. And ForeScout, for instance, uses what it calls a "honeynet" approach.
It's more likely that some enterprises will merely incorporate elements of honeypot technology and methods. H&R Block, for instance, uses a form of honeypot technology. It used to run honeypots on its DMZs, says Mark Butler, manager of security and compliance services for H&R Block. "But they were one of the last things we looked at and worked on and that got updated," he says, and they became a low priority.
The tax preparation company now runs ForeScout's ActiveScout appliances, which use honeynet technology, basically network-based honeypots. The devices detect an attacker's reconnaissance behavior and respond with "fake" information using ForeScout's proprietary honeynet technology. If the intruder uses the fake information to attack the network, he's busted and gets blocked.
"We're not logging into the console on a daily basis -- we look at it weekly," H&R Block's Butler says. "It gives me trends, such as what type of behavior is going on," and if connections are coming from Russia, for example, and at what frequency, says Butler, who acknowledges it doesn't catch everything. "And you can tune it any way you want. If you know of a truly malicious connection from a particular source, you can block them forever."
It's the pure honeypots that still scare most enterprises away from the technology, both from a risk and overhead aspect. "Once you turn on a honeypot in your network, you've created something to keep you up at night," says Jeff Nathan, software and security engineer for Arbor Networks.
And there's no guarantee you'll actually snare an attacker, anyway, says Jose Nazario, software and security engineer for Arbor. "It's like putting a stick in the ground and hoping a guy running at you runs into that instead."
Kelly Jackson Higgins, Senior Editor, Dark Reading