In the context of IT security, a honeypot is a computer system that serves as a decoy or as a trap so organisations can gather information on attackers that break into their corporate networks. It’s not a new concept, but it seems honeypots are gaining more traction as a popular tool to combat growing cybersecurity threats. Cybercriminals are constantly finding new ways to break down the security measures companies have in place so gathering intel on them can be a great way to fend off their attacks. Today, we go through some of the best practices around implementing honeypots.
There’s a lot of emphasis on putting in defensive measures in order to ward off cyberattacks; IT security vendors these days purvey solutions that are aimed at keeping attackers out, and rightly so. Perimeter defence is definitely important, but it’s nigh impossible to keep all attackers out. When it happens, there is an opportunity to learn from the attack itself. That’s where honeypots come in.
Honeypots are considered a type of active defence. You’re essentially baiting cybercriminals to attack it. Once you’ve tricked them into thinking they have compromised an important system on your network, you can then monitor their behaviour so that you can build a profile of them. This information is invaluable for beefing up protection on your corporate IT environment. If done correctly, you can gather the data without compromising the security of all your other systems. They can also work to give you early alerts of intrusion attempts.
But before you even think about putting honeypots in place, you need to make sure you’ve done the prep work.
“From my point of view, before you even do that, you need to ensure you have all your housekeeping in place,” Atlassian head of security Craig Davies said during a panel discussion at SINET61. “You would know your configuration management, you would have great visibility of your environment; you would actually know what an attack would look like against your environment before you get into honeypots.”
Atlassian uses honeypots in a number of ways, one of which is by incorporating it into their bug bounty program. It’s a novel approach, but it has been effective for the enterprise software company.
“We know that instance is being attacked so we watch it, test ideas and then we take those ideas into our cloud environment,” Davies said. “When I talk to my peers, a lot of us are running, maybe not the classical definition of a honeypot, but we are certainly using them and sharing intel around for what we are seeing in our environments.”
While he found honeypots useful, Davies stressed that organisations shouldn’t even think about honeypots if they don’t have visibility of their environments or if they don’t have a great security operation practice in place.
“Visibility is key. No visibility — don’t do a honeypot,” he said. “All you’re going to do is make yourself feel warm and fluffy and nothing is going to change.”
Palo Alto Networks regional chief security officer for Asia-Pacific Sean Duca agreed with Davies and added that organisations need to focus on what they want to achieve when think about honeypots.
“It’s important to focus on what’s the outcome an organisation is looking at when they are looking to rollout these kinds of deception tools or honeypot solutions,” he said at SINET61. “If you’re not going to sit there and monitor the capability and you don’t have visibility aspects, then what are you actually doing?”
“I think the outcome should how you start building better defences inside your own environment.”
Australian Cyber Security Centre assistant secretary Michael Scotton highlighted that company mustn’t neglect prevention measures because honeypots are just one piece of the puzzle.
“Understanding the cyber kill-chain, understanding what an adversary does once they get on your network, how they move laterally, how they escalate privileges, understanding their tradecraft — if you’re feeding that into your security posture, that’s a very good thing to do but it’s not the starting point,” he said at SINET61. “If I come down to having $1 and where do I invest it, I would be investing it in prevention and making sure my security posture is good before I start looking at what happens after something goes wrong.”