For an organization that has a reasonably complete security posture, including a mature threat intelligence capability, the implementation of a so-called “honeypot” should be considered. A honeypot is like a digital trap that is set for potential attackers. It lures the attackers inside by mimicking it to be a target they were looking for, sometimes with deliberate built in vulnerabilities, apparently waiting to be exploited.
Once the attackers use the honeypot system, thinking they have reached the intended target, all actions are recorded and all modified and newly-dropped files are captured. In this way, a great deal can be learned about potential adversaries, their Tools, Techniques and Procedures (TTP’s) and how they would circumvent the organizations actual production security controls. It allows for truly proactive security intelligence gathering, although there are some caveats.
The Issue With HoneypotsA honeypot is a great weapon in the arsenal of defensive security teams. Its use does, however, come with some challenges.
The obvious one is the risk that an attacker successfully exploits a honeypot and then manages to move laterally into the actual production network. It is critical to isolate a honeypot from any other network! This seems like a simple task, but it only takes a single forgotten system or a single firewall rule change to create a very dangerous situation. Networks are inherently complex.
Another challenge is the amount of time and with that, are the costs that come with the management of a honeypot. The system will need to be configured and maintained, of course. But that is not all: The captured activity needs to be used within the organization’s security teams for it to be of any value. This will take a lot of time to structure and to fit within operational processes. The information will (Read more...)
