Written by: Nick Palmer, Technical Director, Europe – Honeypot. I always liked the term. Hailing right back to the comfort of my early childhood and images of Winnie the Pooh diving into one face first, then tracking to my first exposure to Lance Spitzner’s excellent book in 2002. It’s a descriptive and easily assimilable term, and for the uninitiated it’s also a really straightforward way to convey a competence that is still nascent in security circles.
Put a honeypot on the network, and watch the attackers gravitate to it. These are simple messages and they support the development of a mindset which I believe has increasing legitimacy in 21stCentury cyber-warfare.
The issue is that deploying what most people understand as honeypots to a network is a time consuming task. You might have allocated ten physical machines with various unpatched and interesting operating systems on them. You might even have populated them with fake data. The question then is where to put them for highest yield? When they are deployed adjacent to networks of critical interest, you then have the issues of gathering and understanding their telemetry. You have the attendant challenges of deriving value from the vast amounts of log data they produce, and you are sure to have issues orchestrating them together and keeping the data and the fake systems fresh and interesting. Then you have the issue of incorporating and configuring alerting from the devices and ensuring that events of interest are given the necessary gravity and severity. Integrating these capabilities with remedial systems like Network Access Control could be a real headache, as the legitimate systems that interact with these systems are taken off the network in a most undignified fashion. I could go on, but the point is clear. Traditionally understood, honeypots are not a scalable solution for the modern enterprise. Their networks are endlessly evolving, already well understood by the best hackers, vastly distributed and highly heterogeneous. A manual approach to deceiving attackers in these networks is doomed to failure.
This is why I prefer Deception Platforms. Imagine a centrally managed solution, offering turn-key access to a library of candidate operating systems (including your own gold images, should you choose to import them). Imagine that console orchestrating the available services and applications and ensuring that the deceptive assets look exactly like your production systems. The very best Deception Platforms offer the ability to send Deception to remote corners of the network without additional investment in hardware or operating systems and present attackers with a seamless experience indistinguishable from real devices. If you want to take a weaponised approach to Deception, a good platform will equip you with Deceptive documents to track movement in and out of the network. When looking for a Deception platform, you should ensure you have the ability to access a consolidated console that shows telemetry from all the Deceptive assets on the network, and which can freely exchange information with your standard SOC tooling. Malware that is placed on the Deceptive platform by attackers should be analysed and sandboxed, and any attempt by the attacker to pivot from a Deceptive asset to the real network should be blocked immediately, without letting the hacker know. Finally, full featured integration into the automation layer should also be available, facilitating the move to ‘SecOps’, and increased security automation.
You can see the deltas, I hope. So of course, call it a honeypot. But it’s not really. Not even close.