Honeypots for Detecting Threats

So generally there are two types of honeypots and I’m using the term honey pot quite loosely here. So first there is the threat research honey pot for gathering intelligence information on threats, on hackers what it is that we believe hackers are doing.

Research Honeypots

Now The Honeynet Project founded by land Spitzer is an example of a non-profit research organization dedicated to investigating the latest attacks through the use of these research honeypots. Research honeypots are what most people think of as honeypots and dismiss the concept of honeypots as being useful. Research honeypots are actually a little bit questionable in terms of the value you get from them because you only generally gather intelligence on sophisticated attacks.

It’s very hard to set up research honeypots that presenting a value to an attacker and if you make them sufficiently weak you do not get sophisticated attacks against them because you do not need a sophisticated attack to get in. But if you make them too difficult to break in then they do not necessarily get broken into. So there’s a dilemma here with these research honeypots.

Threat Detection Honeypots

But enough of research honeypots, the second type of honeypots that we are actually interested in is the threat detection honeypot which is used to detect threats.

Often you place them in sensitive areas where a threat shouldn’t be. They often contain data that appears to be legitimate and seems to contain information or resources of value to an attacker or a threat but It is actually the honeypot isolated and monitored and that alerts you when someone tries to interact with it.

These honeypots have no other use other than as being traps for those threats. So any interactions with the honeypot produce high-quality alerts and low false positives. So, for example, you can set up a fake NAS storage server on your home network or a fake web server on a business network and these could act as a honeypot on your network. And when a threat interacts with it you are alerted to the presence of a threat. This is detection through deception.

These types of honeypots tend to produce very little false positives because people should not be on these devices. So when you get an alert from them something is definitely interacting with it, you’re not getting a lot of false positives like you do with signature-based intrusion detection. And quality alerts and low false positives are the two key factors in having successful detection.

detection honeypot

So we’re looking at using threat detection honeypots as tools of deception to alert us to threats so that we can mitigate those threats in a timely manner. Deception has been a strategy of war since the beginning of war. But it’s not a popular strategy in cybersecurity but it should be. Deception needs to be a strategy in your security arsenal. We need to bring back deception into cybersecurity as it provides a number of benefits to the defender that other methods do not.

With detection honeypots –

  • We can detect threats.
  • We can delay them.
  • We can waste their time.
  • We can prevent them from discovering more important information
  • we can misdirect them.
  • We can provide false intelligence
  • we can use them to discover who the threat is plus much more.

Properties of an Effective Honeypot

In order for honeypots to be useful and part of the reason why they have not been deployed is that they need to have a number of properties to make them successful and I’ll go through them now.

So they need to be deployable fast and easily and they need to be discoverable by the threats. They also need to be deployed in sufficient numbers or density and they need to be deployed in the right locations obviously

They need to provide high-quality signals in the presence of a threat so no false alarms or very little false alarms. And when you get alerts it means something is wrong. This reduces costs and it reduces operational costs, as well as It, reduces the number of men that you need or manpower to monitor these devices to virtually zero, completely different to signature-based intrusion detection systems.

So to be successful they should require virtually no management and of course finally they should be liable.

Leave a Comment