Insights from Black Hat and DEFCON 2015: Rethinking Honeypots: Early warning can deliver real business value
For years, research and academic deployments of honeypots have drawn large crowds with excited onlookers interested to hear what was discovered about bad actors with a vast honeypot deployment. The problem is that these academic learning exercises are difficult to translate into business and operational value. It is just too expensive and too time consuming to design, create, deploy and manage a honeypot environment just for the chance to draw in and play games with a possible attacker in a production environment.
A honeypot will only be an attractive investment to security teams and executive management if the honeypot’s business value matches or exceeds the cost and time investment—which has never been established by the way that academics and researchers use honeypots. I believe this is because honeypots have been pigeon-holed as tools to learn about hackers and “play games” with them for fun and misdirection. In fact, a honeypot can deliver real value simply by serving as an early warning alert system that something is wrong. Yes, collecting data on attackers when they breach a network and using deception both have value, but those tend to require more cost and work while offering less comparative value. Simply alerting the team that someone is in actually provides real value.
It’s been well documented by Verizon’s annual Data Breach Investigative Reports (DBIRs) and other studies that approximately 75 percent of breaches took months to discover and often were only discovered when an outside organization notified the breached entity that something was wrong. Therefore, the value of early warning that someone is inside your network scanning or accessing your systems is immense and understated in the case of simple honeypots with alerting set up.
Recently, several appliances have hit the market that simplify the deployment and management of automated honeypots. These devices tend to be configurable from a GUI and require very little care and feeding compared to a custom created honeypot infrastructure. These appliances throw out virtual instances of systems that an attacker will scan and try to access that would only be touched by a bad actor, whether an insider or intruder. That can be very cost effective compared to the normal design of a complicated and custom document-loaded system with the purpose to deceive bad actors and keep them busy.
After adding one of these appliances, security staff can also make some simple administrative changes to further enhance the early warning system of an automated honeypot appliance. Three examples:
- Create juicy named Email accounts that are completely unused and stay dormant. Set up monitoring alerts that are sent to the SIEM when they are accessed in anyway.
- Leave all default admin account names for AD, SQL, SharePoint, Exchange, etc., but demote them if possible and create new administrative accounts that all staff use instead. Set up monitoring alerts that are sent to the SIEM when they are accessed or attempted to be logged into in any way.
- Creating unused CIFS shares with juicy names and useless files. Set up monitoring alerts that are sent to the SIEM when they are accessed in any way.
One of our cyber leads here at SwishData, Andrey Zhuk, has blogged about the problems and costs of traditional honeypot infrastructures and how an automated honeypot can offer great value and solve these problems. (Part 1 and Part 2) In those blogs, Andrey also explained how TrapX integrates with industry leading malware sandboxes in ways to make their product even more valuable to an enterprise organization.
For more information on automated honeypots and any assistance your organization might need setting up simple configurations such as the three examples above, contact SwishData for an engagement plan.