Defining Honeypots
The basic concept of honeypots are decoy systems with desired fake data, isolated and monitored for activity to divert and detect attackers with no risk to real data, operations or users. Traditionally, honeypots were created to bait attackers with fake credit card data and access credentials on stand-alone systems to learn who enters, their methods, and what they desire. Honeypots have evolved to automated deception technology, which is more dynamic and acts as a smart alarm system.
Types of Honeypots
There are various types of honeypots – all with different purposes.
Pure honeypots
Full-fledged systems where an attacker’s activity is monitored by a bug tap installed on the honeypot’s link to the network. Being a full OS based honeypot made them difficult to scale and open to compromise.
High-interaction honeypots
Use virtual machines to run multiple honeypots on one physical device to improve scalability and are easy to reset. However, they are expensive to maintain to imitate the full services of production servers and are also open to compromise.
Low-interaction honeypots
Simulate the frequently requested services of attackers also using virtual machines for multiple honeypots per physical server for scalability. These narrower focused honeypots however, consume fewer resources improving scalability to a higher level, have shorter response times, less code, and reduce the complexity of securing the virtual system.
Honeypots primarily are manually maintained, difficult to scale, and are statistically found by attackers as they lacked frequent activity, users and updates as lures. However, honeypots do provide valuable research use cases as well as in production environments leading to a variety of honeypot technologies including: malware honeypots, email/spam honeypots, database honeypots for web services, canary traps with beacons, and multiple honeypots made into honeynets.
How Honeypots have Evolved to Deception Technology?
The concept of deception technology is to provide an active defense through the use of decoys to lure, detect, and defend, without the issues of scalability, skilled and available resources, and containment versus detection that arise with honeypots. Automation is key to creating effective modern deception defenses, which should also accommodate the following features:
- Automated discovery – continuously maps networks, assets, resources and services creating profiles to learn the ‘real’ environment.
Automated decoy creation – builds optimal decoys with interactive services and applications to engage attackers or malware with what they desire. - Automated deployment – positions a wide variety of decoys in optimal locations with a mixture of breadcrumbs on real assets as lures to make deception deterministic.
- Active response – enables security teams to script and automate workflows for active response and investigation.
- Automatically adapts – to changes in networks, assets, resources or services to update discovery profiles and enable the automation of new and updated decoys and breadcrumbs.
Why Evolving Honeypots to Automated Deception is Important?
The automation built into modern deception defenses removes manual maintenance issues, eliminates the need for special skills to create deception decoys and the know-how for where to deploy them, and adds the high value use of breadcrumbs as lures. Today, a tier-1 security analyst can configure, deploy and maintain multiple deception layers across an enterprise for on-premises and cloud environments.
Research honeypots still have their use cases and remain with challenges to maintain, scale and secure from compromise. However, for most enterprises, modern deception defenses with interactive services desired by attackers provide improved scale and security with automation – all but removing maintenance. Decoy and breadcrumb variety is important with both structured and unstructured data use cases to lure both human attackers and malware attacks. Modern deception defenses also leverage Active Directory credentials and understand the placement of access credentials as lures next to decoys with interactive services and applications.
Modern deception is based on honeypots, but automation and the integration with network traffic analysis has changed the playing field to enable successful and easy-to-maintain deployments. This enables a defense with no risk to data or resources, nor any impact to users or operations to provide high-fidelity alerts with few false positives.
To learn more about deception technology, read this page on Fidelis Deception.
