10 April 2022 | by Xavier Bellekens
honeypot cyber security or decoys are lures made to replicate the behaviour of a real system or service on a network to draw cyber criminals away from a legitimate target.
Decoys are designed to gather intelligence data from interactions. The data can consist of techniques, tactics and procedures or criminal motivations. In some cases, the information collected can also reveal the identity of the perpetrator.
They are often modelled after legitimate assets, such as software applications, network applications or servers. The intention is to purposely make the honeypot instance look and feel like a legitimate target. The blue team’s aim is to convince adversaries to exploit multiple honeypots first. While adversaries spend their time within the controlled environment, the production network remain safe.
The honeypot system, will record all interactions between the criminal and the decoy. The intelligence gathered will be used to analyse the attacker’ methods, their capabilities and understand the sophistication of the attack. The intelligence will benefit the blue team to evolve and improve their cybersecurity strategy. The red team on the other hand will also benefit from the data by staying current with their techniques, and may give them ideas for their next engagement.
Honeypots can also help both the blue and red team reveal potential blind spots within the architecture, and uncover a new attack surface.
The premise of a honeypot is simple, look and feel like a (valuable) target.
It can be made to look and feel like a database containing valuable information such as IP, patents or credit card data.
The attacker’ appeal for the honeypot is a simple equation
REWARD X DIFFICULTY = APPEAL
Honeypots can be classified in two categories
Production honeypots are deployed by organizations, private companies, and high-profile individuals, to gather threat intelligence on attackers in production systems. Most often IP addresses, intrusion attempts, attack velocity, volume of traffic generated are collected. The decoys emulate real services, website, or systems to lure attackers into spending their time and resources on them. While, the target production systems can continue operating without damage. This type of honeypot is also known as pure honeypot.
Research honeypots are design to collect data and information on the methods used by attackers. They are deployed and monitoring to gather information on new malware, vulnerabilities such as 0 days and to reference the tactics used.
Both production honeypots and research honeypots have 3 modes of operation;
Low interaction honeypots provides very limited access to the website or service. These are resource effective and are mostly used to generate a high-fidelity alert while collecting basic information about the attacker. Your honeypot is a static environment, that emulates a small percentage of a real system. Low interaction honeypots aren’t complex enough to capture threats such as zero-days exploit. While they may not fool advanced threat actors, they are still very effective against insider threats and low threat actors.
Medium interaction decoys often offer a good balance between the amount of data to be collected and its risk of being exploited by the attacker for a lateral movement.
These decoys often include specific vulnerabilities, increasing the appeal by lowering the attack difficulty. For example, a medium interaction decoy may emulate a web server with a specific vulnerability and by providing enough functionality to the attacker to obtain certain information, while revealing some of its methods.
High interaction honeypots are designed to fully engage adversaries and may consist of real or virtualized systems such as operating systems or databases. The aim of a these honeypots is to provide the cybersecurity team with a deep understanding of the modus operandi of the adversary.
A high interaction honeypot will inherently consume more resources. Both on the technical and maintenance side, however, will also provide higher-quality intelligence. A high interaction honeypot may yield information on an attacker’s behaviour, privilege escalation or zero-days used.
The main downside of a high-interaction decoys is the time consumed to build and maintain the environment for a long period of time, while ensuring a proper monitoring of the system.
While honeypots are part of the cyber deception ecosystem, at Lupovis we consider cyber deception technology to be the holistic approach that help deceive an adversary consistently before and during a cyber-attack. Note that they are also most often stand-alone systems.
There are various types of honeypots
These honeypots are low, medium or high interaction honeypots that represent a service such as SSH, FTP, RDP, Web applications, API, PLC, RTU, etc. Each can be deployed individually or in conjunction with other services. For example, a web application decoy may also have an API decoy and port 22 open for an SSH decoy.
When more than one high interaction honeypot is deployed, you can create a honeynet. Honeynets can consist of one or more types of decoys such as the combination of a spam honeypot and pure honeypot, both residing on the internal network, monitoring for interactions. Combining honeynets with intrusion detection systems and firewalls can tremendously improve the security measures of a production system.
Operating System similarly to services honeypots may be low, medium or high interaction an aim but representing a real computer system. These may represent a full or a portion of an operating system. For example, when scanned with NMAP, virtual machines may reply with the signature of a Cisco router.
Various honeypots simulate and emulate databases, programmable logic controllers, Apache server, windows operating systems and can be run on bare metal, virtualized or containerized.
Whichever type of honeypot or deception solution you use, the most important element to consider is your end-goal objective. Hence, the main question to answer is
Do I want to stop a breach early or collect threat intelligence?
Your ROI will be based on how much the honeypot or deception solution is costing you in management overhead, compared to the actual cost of a successful cyberattack in the first case.
In the second case, your ROI will be based on how much the honeypot or deception solution is costing you in management overhead, compared to the value of the information you can collect in threat intelligence before and during a breach.