Discovering evidence that someone is probing your network for weaknesses before they successfully attack makes all the difference. You will learn a lot about your enemies and what they are seeking after your network has been infected or your data has been stolen, copied, or sabotaged. But there is no reason to go through that when it’s avoidable, by using a honeypot network.
Hosting a honeypot network allows you to discover threat actors in a low or no-stakes situation. Honeypots can take many forms, but the principle applies universally that if an unused area of your network sees traffic, that traffic is problematic. Data about indicators of compromise (IOCs) is turned into intelligence only after being scrutinized for contextual meaning. Studying honeypot data critically, using both software analytics and human reasoning, informs you of the threats as they exist within the context of your situation.
How do you know if the intelligence gathered by a honeypot will be useful? First, understanding how they work elucidates what a clever concept they are. Secondly, results depend largely on using them skillfully, as with any tool.
Such as burglars “case” a target before taking what they want, cyber-criminals begin attacks with smaller invasive tactics. Examining the “evidence” found in a honeypot reveals much about the motives, means, and methods of threat actors. They collect data about the source of traffic, malware used, and which files were accessed. Same as being “cased” by criminals in the physical world, knowing how they intend to enter and what they are going after gives you valuable insight into their means and motives to better protect yourself. Low interaction honeypots are less convincing but are also a lower-stakes venture. High interaction honeypots allow the intruder deeper into your network. You learn more but you risk more, too. Using a multitude of honeypots together is a good strategy for covering your bases.
It’s possible to compare the IP addresses and other evidence against a log of other known threat actors to help identify the source of the traffic. Comparing the indicators of compromise you’ve discovered against criminal profiles collected by others puts the information in context. The Modern Honey Network is a newer novel approach to hosting a honeypot and leveraging all of the IOCs collected, resulting in better identification of cyber-criminals. Adding in your own traffic logs further develops the active bank of hacker profiles, and with MHN built tools you can share threat data securely.
To collect accurate threat intelligence, the honeypot must appear to be legitimate. Granted there may be some value in hackers discovering you have a honeypot but it may also be a deterrent. If they identify all of the traps on your network, they can avoid them. Even worse, they could feed misinformation to the honeypot in hopes of throwing you off their scent.
While planning attacks, hackers study popular honeypots to better identify them. The more nuanced and customized your honeypot network, the less likely the intruder will recognize it. Once identified, it’s recommended to rearrange your honey assets to be hidden again. Do not be discouraged when a honeypot is discovered. Rather, you should reconfigure it and set it up again, as you would with a sprung mousetrap.
To get accurate info from your honeypot network, you cannot simply set out a singular sandbox environment and hope all of your enemies leave digital footprints. Each potential threat, random or targeted, needs its own unique deception trap. For example, if you’re watching out for spam emails, set up an unused email account; whereas if you’re concerned about internal employee espionage, set up some enticing phony R&D folders.
Use of deceptive tactics against attackers is catching on. Early adopters set up a honeypot network to protect valuable assets like financial transactions and large caches of login credentials. Now the tech is more available. Studies predict by 2018, 10% of enterprises will be deploying honeypots.
Make a “greater good” commitment to the practice of sharing threat intelligence with other organizations in your industry vertical. Learn the obstacles to information sharing, the standards for the exchange of information and best practices for information sharing in this free download.
Topics:Modern Honey Network