We’ve written on this blog about keeping your network safe by using strong authentication, advanced firewall technology, and modern antivirus software. Today, we’ll discuss another strategy for securing your networks: the honeypot. This technique allows you to detect intrusions on your network by setting up a decoy and being alerted that something is going wrong: someone trying to make a connection that they shouldn’t to your honeypot; someone trying to copy files that they shouldn’t copy; even stopping an insider or employee from looking around in parts of the network they shouldn’t be.
Honeypot technique and devices
The honeypot technique is one in which you offer something to an attacker that seems to be of value, but is really just a decoy that can report tampering to you. The decoy can look like a file server, a particular port on a particular machine, a workstation, or any other thing that you’d like to dress it up as. There are a few companies out there who will sell you a piece of hardware that’s attached to your network that looks like one of the devices on your network, but has some kind of reporting or logging features to let you know when someone has tampered with it.
Those devices are just tiny workstations themselves, devices that run an operating system, logging and reporting software, and nothing else. Your best bet may be to set up your own virtualized workstation or server, which does nothing besides sit there and wait to be tampered with… then report when it has been tampered with. If you have unused resources on a machine that’s already running, you can set that system up to run multiple honeypots, like reporting login attempts, connection attempts, etc. If someone attempts to connect with it, or copy data out of it, you can be alerted that malicious behavior is taking place and put a stop to it.
When do you need a honeypot?
Honeypot detection techniques can be used on your network to notify you of a breach of the highest severity. Since they detect malicious behavior that is already on your network, they are a reactive security measure that lets you know that you’ve already been compromised (as opposed to a proactive measure that would try to prevent the breach in the first place). If someone tampers with a honeypot that you’ve set up, you know that it’s time to take dramatic action to tighten up your network.
If an attacker (from outside of your organization) has made it that far, they’ve evaded the rest of your defenses and are able to connect to your network and they’re likely surveilling the network and looking for targets. While a modern EDR or firewall system will be able to find, for example, a spike in network activity that indicates your data is being exfiltrated, a honeypot can alert you that someone was looking for data in places they shouldn’t, before that point. For instance, effective honeypot alerts can mitigate a ransomware breach by sending an alert before the attacker can even copy or encrypt your data, simply because they’ve stumbled across a decoy file share while canvassing your network.
Honeypots are a great tool to implement on your network as a high-priority alert about what’s happening on your network. Once they’re implemented, they (ideally) require no attention until something goes wrong; but once they do, it signals that there is an urgent matter to attend to. As part of your overall security strategy, they can be a very valuable resource in protecting your data and stopping malicious behavior.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team