There is a gross lack of situational awareness with a clear lack of being able to quickly know whether an attack is under way and to assess whether that attack was successful. The recent Verizon Data Breach Investigation Report (DBIR) provides excellent insight here, finding that most victim organizations don't discover that they've been breached for months and even years after the fact. And nearly 70 percent of them are alerted to the breach by a third party.
Where is the network security monitoring and log analysis that should be alerting these businesses? Kevin Johnson, CEO of Secure Ideas, said in a post, "Current security technologies are beginning to show significant strain. It seems as though the current defensive technologies…are not slowing the current generation of advanced threats."
With defensive security solutions not able to keep up with current threats, enterprises need to develop better detection methods -- using a combination of traditional network security monitoring (NSM) and recent advancements in honeypot and active defense tools.
NSM is a field that is reaching a relatively mature state due to the attention and recognition of its value over the past several years. If you're not sure what NSM is, then check out the Applied NSM blog and upcoming book by Chris Sanders from InGuardians for more information.
What about honeypots and all the talk surrounding active defense? Honeypots are, in the most simplistic terms, systems that are designed to be attacked. There are many different variations of honeypots and what services they offer (i.e. HTTP, SMTP, SSH, etc.). They also vary in the level of management, or interaction, that they require, but the common theme is that they are there to be attacked so the person running the honeypot can get better insight into what the attackers are doing.
Active defense takes the idea of honeypots further by attempting to operationalize them so that attacks can be identified quickly and security teams can respond quickly. Essentially, the honeypots become early warning detection systems that identify attacks that traditional defense systems might miss.
There are two problems, however, with honeypots and active defense that has given them a bad rap. The first is that honeypots are often seen as a waste of time because there has never been an easy way to integrate them into enterprise environment and truly leverage their attack detection capabilities.
Second, active defense -- while helping to realize the true value of honeypots -- is often confused with hacking back (or attacking the attacker) because of articles that focus more on active defense practices that attempt to confuse, annoy, and even exploit flaws in the tools used by attackers.
Thanks to a resurgence in honeypot interest, there are new projects that make it much easier for security professionals to deploy honeypots and leverage them within their existing security infrastructure. Artillery, from TrustedSec, is an excellent example. It can be deployed on a standalone system or an existing server. Once deployed, it listens on commonly attacked network ports. Any attempted attacks are blocked and reported. Additionally, it gets data from the TrustedSec intelligence feed and will block connections from previously identified attackers.
Project Nova is another newer honeypot project that took the very popular, but no longer developed, honeyd, and updated and enhanced it, created a dashboard and wrapper around honeyd, and made it easy to deploy many honeypots at one time -- all from the same host. Those honeypots can be made to look similar to existing systems on the network and act as decoys to the real systems. A machine learning algorithm helps determine whether systems are hostile or benign, and alert appropriately.
Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.
In addition to the traditional honeypot solutions that are simply designed to be attacked, ADHD includes active defense tools that intend to slow down attackers and allow for detection, or to annoy them to where they're more likely to make a mistake and get caught. Just be sure you've considered the consequences of what annoying an attacker could lead to; an angry attacker may quickly become a maliciously destructive attacker causing massive system failures and data loss.
The important thing to remember is that the solution you select needs to have its logs and alerting output added as sources to the existing SIEM or log analysis system. This will provide the notifications and bring back around the aspect of using honeypots as an early warning system. ADHD is a good choice to get started with because it contains a large number of tools and today saw the newest version, 0.5.0, uploaded to SourceForge.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.