Leveraging Your Honeypots with the Right Tools

<p><strong>Can you deploy honeypots offensively?</strong></p><p>In 1999, Lance Spitzner, published How To Build A Honeypot and since then we’ve seen a wide-scale proliferation of honeypot usage. Why? Because it's one of the only effective and offensive countermeasures we can take against hackers.</p><p>Some may disagree that honeypots are offensive, but to classify them as just another defensive monitoring tactic would be shortsighted. Read on and keep an open mind.</p><p><strong>Low-Interaction Honeypots.</strong></p><p>If you’ve been doing a lot of research about deploying and maintaining a honeypot or honeynet, you’ve probably come across the classification of low-interaction vs. high-interaction honeypots. Both are offensive. Low-interaction server-side honeypots can be linked to landmines scattered all around your network, which makes advancement from malicious parties more difficult. Put yourself in the shoes of a treasure hunter (like Indiana Jones) for a second. You are being faced with a huge field of landmines and under some of those mines is the treasure you are looking for. Clearly it is going to be very difficult for you to proceed to discover the treasure. But, if there was another treasure with fewer landmines (or none at all), you would then move on to the next target.</p><p>The same goes for a malicious actor.</p><p>While this may seem like an over simplification, this type of role play helps illuminate how you can be proactive about security. Offensively setting up honeypots cuts into the payoff that a profiteering cyber criminal could receive from breaching your security.</p><p>There's a host (pun intended) of resources and open source projects on setting up low-interaction honeypots including a Modern Honeynet project that also handles higher interaction honeypots.</p><p><strong>High-Interaction Honeypots</strong></p><p>While low-interaction honeypots are like landmines that you can spread out offensively, <strong><a href="https://www.anomali.com/blog">high-interaction honeypots</a></strong> could be likened to a CIA agent going undercover outside of the home base and developing relationships with the enemy. Unbeknownst to the enemy, this agent is gathering intelligence and data, and discovering tactics that can then be shared with our allies through information sharing (like STIX).</p><p>But, as with all good things, managing these high-interaction honeynets can be difficult to maintain and most security teams have tons and tons of data they must analyze and respond to.</p><p>So the real question is: why would you want to spend tons of time and effort on a single data source? Watch the video below to find out some of the obvious benefits. Are Honeynets as burdensome as you think they are? We have simplified the process, <strong><a href="https://player.vimeo.com/video/98581051">check it out our video</a></strong>.</p><p>In short, as we gather more information and pool our resources, we’ll be able to respond to threats faster and with more accuracy and understanding of how to respond. Ultimately, we’ll be able to stop these threats with pre-emptive strikes.</p><p>Want to learn more on how to take the approach to monitoring threats? Check out our <a href="https://www.anomali.com/resources/whitepapers/observation-and-response-an-intelligent-approach"><strong>free whitepaper!</strong></a></p>