Jun 09, 2015 By Andrey Zhuk In Blog

Part 1: Solving the Honeypot Dilemma: Countering: Dormant Threats Inside Your Agency’s Networks

“I write to inform you that we have discovered that CareFirst has experienced a sophisticated cyber attack that potentially allowed attackers to gain access to a limited portion of your personal information.” Those are the opening lines of a letter I received just two days ago.

CareFirst also informed me that the company learned on April 21, 2015, of the unauthorized access that took place on June 19, 2014. The breach gave attackers access to a database that stores login credentials to CareFirst’s website.

This means that for almost a year, CareFirst was oblivious to the fact that it was had. An attacker was inside their network and they knew nothing about it. This is despite the fact that, and I quote from the letter, “we take the security of your information as one of our highest priorities and, every year, invest millions in data security capabilities.”

So millions of dollars spent on security capabilities and still a breach? What is CareFirst doing wrong?

A lot of it has to do with being averse to change and sticking to the old paradigm of network security, whereby an organization invests a lot of money in perimeter and internal system monitoring security tools, such as firewalls IPSs, SIEM, etc. These tools just create more alerts and more consoles that are overwhelming security teams rather than increasing security.  With high-value organizations and government agencies, most attacks are meticulously crafted specifically for the target. These are, in fact, zero day attacks that will very often go unnoticed by the top of the line defenses. The general modus operandi should be to assume that attackers are already inside your network.

One approach to uncover an attacker is to rely on an Intrusion Detection System (IDS). An IDS is usually deployed off a SPAN port or a TAP on the core infrastructure switch where it passively monitors for malicious traffic. The weakness of this approach is twofold:

  1. IDS solutions rely extensively on signature-based detection, which doesn’t work in the case of Advanced Persistent Threat (APT) actors.
  2. If the attackers have been inside your network for a while, they could be using Advanced Evasion Techniques (AETs) and low-and-slow tactics to avoid behavioral heuristic detection.

So what else can be done? The answer is honeypots!

A honeypot is a computer trap set to detect, deflect, or, in some manner, counteract attempts to gain unauthorized use of an information system. In layman’s terms, a honeypot can lure out a malicious actor that would otherwise lay dormant and undetected. Honeypots have been around for a long time. However, there are two major problems with honeypots.

  1. They are expensive to stand up and maintain. Besides just the infrastructure and time needed to stand up a honeypot system, a good honeypot requires enough systems that the licensing just to have extra systems can be significant. Then you have to manage and monitor it.
  2. They can be compromised and used against the honeypot owner. If attackers can get in and stay undetected, they can actually turn the honeypot into a way to deceive the owners and send them on wild goose chases while the attackers carry out their mischief somewhere else in the network. That is, the honeypot becomes a perfect distraction for a criminal to walk in and out of the network “door.”

So you don’t see many honeypots in production, but here at SwishData, we constantly look for vendors with new and innovative technologies that can help our customers achieve their cyber security objectives.  We have found a way to stand up a honeypot that avoids both of those problems!  Tune in next time for the details.

For a preview of our solution that addresses both problems with HoneyPots, check out this whitepaper.