Honeypots as deception solutions: What to look for and how to buy

Commercial and open source honeypot tools are now effective deception solutions. Here's what you need to know before implement them.

Honeypots are once again in the news. If you stopped by the Watchguard booth at last month’s RSA Conference in San Francisco, chances are good that you connected with one of its Wifi hotspots. Those hotspots were there to log how many people would try to connect to an open network. Watchguard found that the average length of time spent connected was more than enough to compromise the connection. Recently, researcher Doug Rickert has been experimenting with the open source Cowrie SSH honeypot, writing about it on Medium. He found an average of at least 200 daily attempts, a few of them from serious hackers who tried to penetrate his honeypot further.

The attention is well-deserved, as honeypots can be useful for a wide variety of purposes. They can help locate attackers quickly, provide a new way to automate more offensive cyber security measures, and can be useful even for smaller enterprises that don’t have their own security operations centers or a large IT staff. Now they have been rebranded as cyber deception solutions, sometimes referred to as honeynets.

Setting up a honeynet as a deception solution

Putting up a simple honeypot isn’t difficult, and you can find numerous open source products besides Cowrie, including the original Honeyd to MongoDB and NoSQL honeypots to ones that emulate web servers. Some even appear to be SCADA or other more advanced applications.

The problem is in managing all these decoys. Most of these open-source projects are just running one or two protocols, so you will need your own honeypot army to cover the range of internet services that most modern enterprises use to deliver their applications. Also, each open-source project has its own notification and monitoring scheme, which can be daunting to manage if you are running many different ones across your network.

Once you get serious about deception, you’ll need a solid layer of automation. Ideally, you would like a tool that could automatically discover your existing network resources, assemble a series of decoys that mimics what you have running, and then keep track of what happens to these decoys and report on who reaches out to touch them. What makes a honeypot so compelling is that no real user should ever be seen there: Anyone stopping by is someone who shouldn’t be on your network.

Deception network goals

The goal of these deception networks is threefold:

  1. Reduce the dwell time of any attacker or malware on your network. This allows you to detect and close any breach. The faster you are notified about an attacker roaming your routers, the better. As hackers are getting more adept at hiding in plain sight, using fileless malware and polymorphic techniques that don’t leave many fingerprints behind, you want more sophisticated methods to find them.

    The deception products all claim a very low false-positive rate, so when they alert you to something fishy, you will know it requires you to take appropriate action. This can be appealing for smaller IT shops that don’t want to build out a 24/7 security monitoring center of their own.

honeypot screen 2 Illusive

Sample report showing alerts from the Illusive deception tool

  1. Complement your network protection tools and find any gaps in them. Having a series of honeypots spread around your network helps find these wormholes so you can beef up your security accordingly and so you can use their results for more defensive intelligence as well. Some enterprises use deception tools to help train their red teams’ searching abilities.
  1. Reduce the time to deploy your decoys and get things up and running. You don’t necessarily have the skills, time, or resources to do it yourself. Some tools have very realistic decoys and a wide range of decoy types, including ATM terminals and SCADA controllers, all to appear more like real running computers. For example, TrapX has a wide range of sandbox support integration includes Cisco AMP Threat Grid, McAfee ATD, Palo Alto Networks WildFire, ThreatTrack, and Cuckoo.

The more realism, the better at trapping and keeping a hacker engaged for a long time. Why is this important? Because then you can obtain more forensic data on who is penetrating your network and the methods that they use. This is why some tools come with their own forensics package or other analysis engines.

Honeypot types

Ideally, a deception network should include all four of the following honeypot types, what one vendor calls “deception in depth”:

  • Pure systems that are running the actual operating systems and have special taps to monitor interactions.
  • High-interaction honeypots that typically make use of virtual machines (VMs) or other emulations.
  • Low-interaction honeypots that use more bare-bones VMs and are designed to only simulate a particular aspect of a resource or server.
  • Breadcrumbs or lures, which are copies of files, credentials stored in particular memory locations, or registry keys that try to simulate what is normally found on a real user’s machine, often used as bait.

CSOonline tested four professional-grade deception services about a year ago: TrapX Security, Cymmetria, Illusive Networks, and TopSpin Security. Since then, TopSpin has been acquired by Fidelis and the product folded into its Deception line. See the table below for a breakdown of other deception products.

Tips for purchasing a honeynet product as a deception tool

  • Focus on price points first, to match your budget and your expectations. Some products charge per subnet or per endpoint, others have site licenses. Most have free trials after you register your interest. You’ll notice that the pricing column in the table is relatively sparse, and what pricing we could ferret out ranges all over the map. Some vendors declined to provide pricing information. 
  • Examine the level of automation offered in terms of deploying and reconfiguring the network of decoys and honeypots. When you change your actual network configuration, ideally your deception network should mimic these changes.
  • Understand what reports and alerts will come from these systems, and how you will integrate them into your existing network or security operations command centers, log analyzers, or other management tools. While these products have low false positive rates, you still want to know what to do when you get an alert.
honeypot screen 1 Fidelis Cybersecurity

Report dashboard from Fidelis Cybersecurity Deception tool

Related video

Copyright © 2018 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations