By: Kevin O’Connor, Director of Threat Research

We returned to the basics in our most recent blog, Honeypots 101: Origin, Services, and Types covering the evolution of honeypots, how organizations are deploying them, and the different types that can help lure away cybercriminals from key assets. Deception tools, like honeypots, add another layer of defense to protect your system while drawing attackers away from where you don’t want them.

We are diving deeper into usage considerations and why deception technology expands security defenses.

Business and IT Systems Benefits

Honeypots are beneficial inclusions in an IT System’s Security Plan for many reasons, including^[1]:

1. Early warning and detection of attacks: Honeypots can detect attacks before they reach critical systems allowing security personnel to respond quickly and minimize damage.
2. Intelligence gathering and analysis of attack methods: By observing attackers’ behavior on a honeypot, businesses can gain insight into attackers’ methods and techniques to compromise the system. They can provide valuable information about the TTPs used by attackers, which can be used to develop more effective security measures and assist in incident response.
3. Detecting new threats: Honeypots can detect new and emerging threats as attackers leverage new TTPs, which the honeypot may observe in detail.
4. Improving security posture and reducing risk: Honeypots can improve an organization’s security posture by better understanding the TTPs used by attackers and developing more effective security solutions. Luring attacks on a decoy system can help reduce the risk of an actual attack on the organization’s networks and systems.

Honeypots can also be used to help meet industry-specific compliance requirements. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants who accept, process, store or transmit credit card information to implement security measures to protect sensitive purchase-related data. While honeypots are not explicitly mentioned by PCI DSS or any other compliance requirements, Adlumin tracks, they can be used as part of a comprehensive and broader security strategy to detect and respond to security threats.

Similarly, the Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare organizations implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI). Again, while honeypots are not explicitly mentioned in HIPAA, they can be used as part of a comprehensive security strategy to detect and respond to security threats to ePHI.

Honeypot Usage and Deployment Considerations

When deciding as an organization to implement and use honeypots as part of a layered security defense, some key considerations can help ensure the honeypot is safe and effective^[2].

1. Placement – a honeypot’s placement is critical to its effectiveness. Honeypots must be strategically positioned within the network to offer potential attackers a target while appearing as legitimate services. Placement also needs to consider the network space in which you are allowing the attacker to gain a foothold. Additionally, decisions to deploy the honeypot on external vs. internal facing infrastructure will determine the types, frequency, and severity of detected attacks. External-facing honeypots are subject to frequent scanning, rogue exploitation by botnets, and attacks of convenience by many different threat actors. This can increase the noise in the logging signals and make it hard to separate real and targeted threats.
2. Isolation – the honeypot should be isolated from the rest of the network and not contain any sensitive information. This minimizes the attacker’s risk of leveraging access to the honeypots to continue their attack throughout the network using the honeypot as an initial foothold. Honeypot configurations must ensure the attacker is trapped and actions monitored appropriately.
3. Monitoring – the honeypot should be monitored closely to gather information about the attacker’s TTPs which can be fed into the network and security defenses. It’s not enough to just deploy a honeypot – the honeypot’s logs must be analyzed and used to create detections for malicious activity to warn the organization of potential attacks.
4. Management & Maintenance– the honeypot should be managed by experienced security personnel who can effectively configure, monitor, and maintain it to ensure its effectiveness in detecting and responding to attacks. Additionally, the honeypot should be regularly updated to ensure that it continues to mimic real-world systems and applications and remain attractive to attackers.
5. Integration with other Security Measures – the honeypot should be integrated with other security measures such as firewalls, intrusion detection systems, incident response plans, SIEMs, MDRs, and detection alert management, investigation, and response systems. This ensures that the honeypot contributes to the network’s security and helps increase its value by generating detections and alerts to activity. Some honeypots can be used to build detections dynamically based on attacker compromise.
6. Legal Considerations – the legal implications of using a honeypot must be considered, as some countries have strict laws regarding the monitoring and interception of communications. Organizations should comply with relevant laws and regulations when using a honeypot. There is also the potential to attract and trap innocent users, which should be carefully considered before deploying a honeypot.

Honeypots and Zero Trust

Zero Trust is a cybersecurity approach that assumes all network traffic is untrusted and consequently subject to strict security controls and monitoring. The Zero Trust model assumes that every user, device, and application is a potential threat and should be verified and authenticated before being granted access to sensitive data or systems.

In a Zero Trust model, network access is never automatically granted, even if a user or device is within the network’s perimeter. Instead, all access requirements are subject to multi-factor authentication (MFA) and monitored for suspicious activity. The Zero Trust approach protects against various threats, including malware, phishing attacks, and unauthorized access. By verifying and monitoring all network traffic, organizations can more expediently detect and respond to security incidents, reducing the risk of data breaches and more severe attacks.

Zero Trust and honeypots are security measures used to protect against security threats. While Zero Trust focuses on identity verification and attestation of all users, devices, and applications before allowing access to sensitive data and systems, honeypots detect unauthorized access to sensitive data by creating decoy targets that appear valuable and vulnerable to attackers.

Honeypots can be part of a multi-layered, defense-in-depth security strategy to detect threats to the organization and its networks. If a honeypot is accessed, it can trigger an alert which can be used to investigate potential incidents which complement other Zero Trust security measures such as MFA, continuous monitoring, and network segmentation. Honeypots can highlight where Zero Trust measures have failed and provide early warning against attacker operations and compromise.

Expand Your Security Defenses

The evolution of honeypots is a testament to the creativity and ingenuity of cybersecurity professionals and their commitment to staying ahead of the ever-evolving threat landscape. Honeypots can provide deep insight into attackers’ methods and motivations. However, thought needs to be given to what type of honeypot is best for an organization, what services should be simulated, and how to maximize value through proper deployment and usage.

Visit the Adlumin for Honeypots resource page for more information on expanding your defenses with deception technology.

References

1. Andress, J., & Andress, J. (2015). Chapter 10 – Network Security. In The Basics of Information Security: Understanding the fundamentals of infosec in theory and Practice (pp. 151–169). essay, Syngress.
2. Sanders, C., Randall, L., Smith, J., & Sanders, C. (2014). Chapter 12 – Using Canary Honeypots for Detection. In Applied Network Security Monitoring: Using Open Source Tools (pp. 317–338). essay, Syngress, an imprint of Elsevier.

By: Kevin O’Connor, Director of Threat Research

The Origin of the Honeypot

In the 1980s, honeypots became a permanent fixture in cybersecurity, riding the lines of defensive and deception technologies. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, published by Clifford Stoll in 1989, details the hunt for a computer hacker (later identified to be Markus Hess) who digitally broke into Lawrence Berkley National Laboratory (LBNL) in 1986^[1]. Stoll provides one of the first descriptions of what is known today as a honeypot.

To catch the hacker, Stoll set up an elaborate ploy by inventing a fictitious department under an imaginary contract within a real organization under LBNL that Stoll suspected the hacker was targeting. Creating a fake user working for the faux organization, Stoll filled the user’s digital assets with attractive-looking documents designed to gain the hacker’s attention and lure them into grabbing the files. His efforts would ultimately lead to discovering the hacker’s identity as Hess and the following arrest in Germany.

After Stoll flew to Germany and testified against Hess, it became public that Hess had been selling the bounty of his hacking operations against organizations like LBNL to the Soviet Union’s KGB intelligence agency. They would also work out that a Hungarian agent had contacted the fictitious LBNL department using information that could have only been sourced from Hess. This was part of the KGB’s standard routine to verify Hess’s information.

Later, in 1991, Bill Cheswick, considered one of the pioneers of computer security, published An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied^[2]. The Chronicle, one of the earliest technical descriptions of a honeypot, details leading a hacker on a “merry chase” to trace his location and learn his techniques. It details the bait and traps used to lure him and is the work that first applied and popularized the terminology of “jail” in cyber security. Cheswick had created a digital jail to trap the actor and watch their actions in detail^[3].

The concept of a honeypot has come a long way since its first use in the 1980s. Pioneers like Stoll and Cheswick were instrumental in laying the foundation for what has become an essential component of modern cybersecurity strategies. With the advancements in technology and the increasing sophistication of cyber-attacks, the use of honeypots has evolved over the years. Today, honeypots are used for defense, research, threat intelligence gathering, and incident response. Let’s explore the current usage landscape of honeypots in the field of cybersecurity and some considerations in deployment and usage.

What is a Honeypot?

Honeypots are security systems that lure cyber attackers and track their activities in a secure, isolated, and monitored environment. Honeypots can distract potential attacks from a target’s critical resources; act as an intelligence-gathering platform about attacks and their tactics, techniques, and procedures (TTPs); and strengthen security overall. Information collected by honeypots can also be used to identify vulnerabilities in a system, software, or protocol. They are, in essence, a decoy computer system meant to attract, trap, and expose potential attackers. As attackers are drawn to the honeypot and focus their efforts there, more valuable systems and data are protected by the attacker’s exposure through the honeypot. A well-designed and implemented honeypot is isolated from the rest of the network. It does not contain any sensitive information, so there is no risk of the attacker compromising it and accessing sensitive data.

Common Honeypot Services

Modern honeypots will typically work to provide “jailed” access to systems over specific protocols and their related applications, such as email, web services, and network administration services. These targeted applications may present high-value access to the target, data collection, theft opportunities, or an easy way to compromise and pivot through an organization’s and network’s systems.

Common services that are often developed into honeypots include:

• File Transfer Protocol (FTP)
• Telnet
• Secure Shell (SSH)
• HTTP Web Services
• MySQL or Database Specific Applications
• Administrative Applications
• Other Remote Access Methods (VPNs, Remote Desktops, and remote support apps)

Most network and computer services can be adapted into a honeypot with the proper modifications. Which honeypot services your organization deploys will depend on its legitimate services, attack surface, and known attacker motivations.

Types of Honeypots

Honeypots come in various forms and have evolved to meet the changing threat landscape. Several types of honeypots are designed to cater to specific security needs.

1. Low-interaction honeypots are designed to simulate a limited number of services and are less complex to implement, making them ideal for small-scale organizations. On the other hand, high-interaction honeypots offer a much more realistic and complex environment and are designed for organizations with larger security teams^[4].
2. Another type of honeypot is a hybrid honeypot, which is a combination of low-interaction and high-interaction honeypots. This honeypot balances complexity and ease of deployment, making it ideal for medium-sized organizations.
3. Virtual honeypots simulate a network environment and lure attackers into a virtual and often restricted or more heavily monitored network enclave.
4. Honeypots can also be combined to create a honeynet or honeyfarm, a network of honeypots used to monitor and track attacker activities. Honeynets are often used to gather information about and monitor large-scale attacks, such as distributed denial-of-service (DDoS) attacks.

Through pioneers like Stoll and Cheswick, honeypots have evolved from simple traps used to study and track hackers to complex security solutions that detect, prevent, and respond to cyber threats. The term “honeypot” has become synonymous with deceptive security technologies, and the concept is widely used in various industries, from financial services to healthcare, to protect against cyberattacks. And regardless of the type, honeypots are an indispensable tool in any cybersecurity arsenal that is crucial in detecting and mitigating cyber-attacks.

Visit the Adlumin for Honeypots resource page for more information on expanding your defenses with deception technology.

References

1. Stoll, C. (1989). The Cuckoo’s Egg: Inside the world of Computer Espionage. Doubleday.
2. Cheswick, B. (n.d.). Biography. Bill Cheswick’s bio. Retrieved January 30, 2023, from https://www.cheswick.com/ches/bio.html
3. Cheswick, B. (1992). https://cheswick.com/ches/papers/berferd.pdf. Winter USENIX Conference, San Francisco, 20–24. https://doi.org/https://cheswick.com/ches/papers/berferd.pdf
4. Edgar, T. W., & Manz, D. O. (2017). Research methods for cyber security. Syngress, an imprint of Elsevier.