An Introduction to Honeypots
In our latest blog series, we discuss how threat intelligence can be applied smarter for medium sized organizations with limited resources. We discuss ways to proactively detect threats beyond subscribing to information feeds that require a lot of resources to aggregate and ingest into SIEMs.
Medium-sized organizations are generally focused on being lean: conducting good patch management, implementing policies around incident response, disaster recovery and financial controls, aggregating appropriate logs into a SIEM for alerts, practicing identity and access management, implementing two-factor authentication at the perimeter and key chokepoints internally, and potentially more advanced threat hunting with endpoint detection and network traffic beyond the regular SOC ticketing functions.
In short, they are not likely to make large investments to build a threat intelligence apparatus to consume numerous intelligence feeds. Nor are they likely to have a roster of analysts to build return on investment metrics based on actionability that ultimately reduce visibility gaps and increase security controls.
In these instances, honeypots can often be a leaner means to gain an understanding of the threat environment both on the perimeter and inside the environment simply due to the fact that security engineers understand their own network better than an adversary.
Any adversary must assess how much time they need to spend on target – internally or externally – to meet their objectives (intelligence collection, ransomware, selling stolen data, etc).
In many scenarios, an actor will need to make a movement that is not ordinary in the environment, which should trigger an alert.
As a network defender, there are generally three categories of intelligence to assist triaging these alerts:
- Threat intelligence that informs a threat hunter they are already breached based on what is being observed external to the perimeter
- Threat intelligence that searches the dark corners of the internet for indicators an organization and its technologies will come under attack
- Use of decoy systems or servers deployed alongside production systems within a network that proactively inform a network defender when their network is being targeted. When deployed as enticing targets for attackers, honeypots can add security monitoring opportunities for blue teams and misdirect the adversary from their true target.
Categories 1 and 2 can be resource intensive and expensive, especially as attack surfaces and corporate assets expand.
Honeypots have varying levels of complexity (passwords, vulnerable services, fake sensitive data) depending on the needs of your organization and can be a significant method to flag attacks early. Generally, they fall into two categories:
External Research Honeypots: External honeypots seek to gather information about attacks being directed towards an organization external to the network perimeter. These can generally provide information on malware and vulnerabilities against services that attackers are actively targeting. In turn, the intelligence gathered from the honeypots can be used to inform defenses such as patch prioritization.
Internal Production Honeypots: Internal honeypots are used to detect active compromise within an internal network. These are meant to give another layer of monitoring for lateral movement or malicious scans and should ideally mimic services being used in a corporate and production environment.
We will explore pure, low-interaction, and high-interaction honeypots, the kinds of technology available, and the combined use of canary tokens in different types of production environments in later blogs.
Check out Cboe Global Markets Security Manager Jan Grzymala-Busse’s comments on threat intelligence in a recent Cyber5 podcast episode.