Part 1 - Decoding the Trap: Unlocking the Power of Honeypots in Cybersecurity

By: Adam Lynott - Information Security & Compliance Specialist, CivITas Bank Solutions

You don’t need me to tell you how to secure your network or lecture you about how dangerous it is to have vulnerabilities facing out toward the rest of the world. Cyber threats seem to be all around us. If you haven’t heard of a major company falling victim to a hack or a massive data leak recently, just wait five minutes.

So, you’ve got your network secured up. You’ve prepped, planned, and done your due diligence on vendors and services you’ve employed. It would be easier to break into Fort Knox than any external-facing port. You may be thinking, what else is there? Let me introduce you to the honeypot.

A honeypot is a network-attached system set up as a decoy to lure cyber attackers and detect, deflect, and study hacking attempts to gain unauthorized access to information systems. It is a system that appears vulnerable and undefended – placed typically at a point in the demilitarized zone (DMZ) that hackers can find, but it has no connection to your actual production environment.

Based on their interaction, there are three types of honeypots:

• Low-interaction – gives very little insight and control to the hacker about the network, simulating only the services that are frequently requested by attackers.
• Medium-interaction – Allows more activities to the hacker as compared to the low-interaction counterpart.
• High-interaction – Offers many services and activities to the hacker, pre-occupying and wasting most of their time.

How do honeypots work? They can do a few things. They can detect and monitor the hacker's activity when infiltrating the honeypot device. They also act as a diversion as to tricking the hacker into thinking they have found a way into your network. Also, it can be used for research and analysis of the movements and attacker behavior. Finally, it can act as an early warning system, and alert security teams to potential threats.

This all sounds great, but how would one go and set up a honeypot? Unfortunately, it can take careful planning and execution to pull it off successfully. Here are the steps to create it.

1. Define your goals – Determine what type of threat intelligence you are aiming to gather. Are you targeting specific malware types? Specific adversaries? Defining what type of honeypot, you want to create will help determine the next step.
2. Choose your honeypot type – Looking at the three types of honeypots above (low, medium, or high interactions), you would choose one to suit the needs you defined in step one.
3. Select where you want your honeypot to reside – Deciding where the honeypot lives is important. You could have it in the DMZ (as outlined above) or you can deploy it in the cloud.
4. Deciding on the honeypot software - There are a few options to look into including some wonderful open-source software including Honeyd, Glastopf, or HoneyNet. There are also paid options including TrapX DeceptionGrid and Illusive Networks.
5. Configure the honeypot – It’s best to set this up to mimic your target system and desired level of interaction.
6. Deploy your honeypot – Place it in a securely isolated network segment, such as the DMZ or cloud, ensuring no direct connection to production systems. It should mimic real assets with believable services and traffic while avoiding obvious signs of deception. Use firewalls and IDS for passive monitoring, but don’t block interactions unless necessary to prevent risk.
7. Monitoring and analysis – Set up the system to collect logs. Parse these logs to identify suspicious activity, connection attempts, and malware samples.
8. Set up threat intelligence tools – Consider using this to aggregate data from your honeypot with other threat feeds.
9. Develop an incident response plan – create a plan to respond to potential incidents identified through the honeypot. Be sure to include procedures for isolating compromised systems, preserving evidence, and reporting attacks.
10. Integration and maintenance – Be sure to test and update the device regularly to ensure its functionality.

Once set up, the honeypot offers many benefits. They are used for the early detection of malicious activities before a breach can occur. When studying the logs or the movement of the attacker, you gain valuable insight to strengthen your network. Also, it can redirect attackers from legitimate systems, reducing the risk of actual damage. Finally, it can be cost-effective, comparing the price of implementation compared to the potential losses from a breach.

Is having a honeypot perfect and guaranteeing that you won’t ever experience a breach? Not by any means. However, implementing one can provide another layer of defense and a way to study attackers’ tendencies. Look at implementing one but be sure to do research first to make sure it adheres to your goals. Finally, discussing or consulting with other cybersecurity professionals for implementation tips and disadvantages is always a good decision.