Why honeypots deserve a spot in your cybersecurity arsenal – Source: www.csoonline.com

In cybersecurity, we spend a lot of time focusing on preventative controls — patching vulnerabilities, implementing secure configurations, and performing other “best practices” to mitigate risk to our organizations. These are great and necessary, but something must be said about getting an up close and personal look at real-world malicious activities and adversarial behavior.

One of the best ways to do this is to use honeypots. The National Institute of Standards and Technology (NIST) defines honeypots as: “A system or system resource that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears.” It’s an amusing — and appropriate — coincidence that many advanced persistent threat groups have the word “bear” in their names.

Honeypots generally refer to entire systems or environments. Honeytokens, on the other hand, are often specific files, data, and other objects that are used similarly, serving as decoys to entice malicious actors and gain valuable information about them. That said, for this article, and to avoid granular differences, we will broadly use the term honeypots.

Why use a honeypot?

Preventative controls are critical, aligning with industry trends and broader intelligence from groups such as Information Sharing and Analysis Centers (ISAC), but there are a number of valuable reasons to also use honeypots (and the associated honeytokens), not the least of which is that very little can compare to direct threat intelligence drawn from your own organization, operational environment, and systems.

Cybersecurity defenders can use honeypots to get direct insight into the various tools, techniques, and procedures (TTP) of malicious actors targeting their organization by utilizing honeypots and their variants.

Honeypots are often deployed in a constrained and controlled environment within a broader organizational architecture. This lets defenders capture specific forensic evidence for analysis and further research and provide crucial early risk indicators. These may be attempts to probe networked resources, access sensitive data, or exploit vulnerable systems.

This is especially useful given we know from CISA’s recent report that the most commonly exploited vulnerabilities are increasingly zero-days, meaning they weren’t known publicly at the time of exploitation. Hence, organizations need additional indicators and insight beyond known exploitation attempts and activity vulnerabilities.

The insights gained through honeypots can be used by defenders to adopt additional security measures or modify existing security controls and tooling to account for the malicious activities they actually observe.

Honeypots can lead attackers away from critical systems

In addition to providing critical threat intelligence for defenders, honeypots can often serve as helpful deception techniques to ensure attackers focus on decoys instead of valuable and critical organizational data and systems. Once malicious activity is identified, defenders can use the findings from the honeypots to look for indicators of compromise (IoC) in other areas of their systems and environments, potentially catching further malicious activity and minimizing the dwell time of attackers.

In addition to threat intelligence and attack detection value, honeytokens often have the benefit of having minimal false positives, given they are highly customized decoy resources deployed with the intent of not being accessed. This contrasts with broader security tooling, which often suffers from high rates of false positives from low-fidelity alerts and findings that burden security teams and developers.

How to utilize honeypots

Enterprises need to put some thought into the placement of the honeypots. It is common for them to be used in environments and systems that may be potentially easier for attackers to access, such as publicly exposed endpoints and systems that are internet accessible, as well as internal network environments and systems.

The former, of course, is likely to get more interaction and provide broader generic insights. The latter is more valuable in tipping defenders off to malicious activity that has surpassed perimeter security tools and controls and has more potential to impact sensitive business systems and data.

Internally, organizations often look to place honeytokens in places that may be appealing to attackers, at least on the surface, to try and entice them to engage with the decoys. At the same time, they must be used in a manner that will not lead to frequent interactions from legitimate users to avoid false positive alerts.

The placement of honeypots will have an impact on both the volume and criticality of alerts. A publicly exposed endpoint or honeypot will inevitably get a lot of traffic, whereas internally deployed honeypots will have a lower volume of alerts.

When triggered, internal honeypots will likely cause more critical and urgent responses due to their proximity to internal sensitive data, critical systems, and ability to impact business operations if the attackers can impact not just decoys but valid systems and resources as well.

Another important consideration is to select the type of honeytoken(s) used based on a specific environment and objectives. For example, if you are focused on unauthorized access to credentials, such as usernames and passwords or API keys, you will want different resources than someone more focused on data, such as files and databases.

There are various options, both commercial and open sources, and specific types of honeytokens that can be tailored to your individual needs and security goals.

Finding honeypot resources

There are entire GitHub repositories maintained with honeypot resources, ranging from databases, applications, and services to various tools to both deploy and monitor for malicious activity. On the commercial front, organizations are providing innovative solutions, such as Horizon3.ai’s NodeZero Tripwires, which aim to streamline the deployment of decoys through automated deployment processes and integrations with lead threat detection tooling and workflows for more rapid response.

Others, such as GitGuardian, which focuses on software supply chain and secrets management, let users deploy honeytokens in source code management (SCM) and CI/CD environments. They then monitor public GitHub repositories for honeytoken leaks, such as API keys, credentials, and other secrets, which can be deployed as decoys.

Honeytokens and honeypots can represent discrete files, databases, credentials or even entire systems and digital environments depending on their complexity and an organization’s capabilities and imagination.

While commercial options allow for native integration and monitoring, the use of some products or tools, as well as open-source solutions may require further integration and configuration to optimize your ability to both monitor for interaction with the honeytokens, as well as respond when potentially malicious activities are identified.

Honeypots, like any other security measure, are not silver bullets, but when used smartly alongside comprehensive enterprise security controls and tooling, can enable organizations to proactively identify malicious activity in their environments, gain valuable threat intelligence, optimize their defenses based on observed real-world activities and also test their organizational abilities to detect and respond to nefarious activities.