Honeypots as deception solutions: What to look for and how to buy

Commercial and open source honeypot tools are now effective deception solutions. Here's what you need to know before implement them.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Honeypots are once again in the news. If you stopped by the Watchguard booth at last month’s RSA Conference in San Francisco, chances are good that you connected with one of its Wifi hotspots. Those hotspots were there to log how many people would try to connect to an open network. Watchguard found that the average length of time spent connected was more than enough to compromise the connection. Recently, researcher Doug Rickert has been experimenting with the open source Cowrie SSH honeypot, writing about it on Medium. He found an average of at least 200 daily attempts, a few of them from serious hackers who tried to penetrate his honeypot further.

The attention is well-deserved, as honeypots can be useful for a wide variety of purposes. They can help locate attackers quickly, provide a new way to automate more offensive cyber security measures, and can be useful even for smaller enterprises that don’t have their own security operations centers or a large IT staff. Now they have been rebranded as cyber deception solutions, sometimes referred to as honeynets.

Setting up a honeynet as a deception solution

Putting up a simple honeypot isn’t difficult, and you can find numerous open source products besides Cowrie, including the original Honeyd to MongoDB and NoSQL honeypots to ones that emulate web servers. Some even appear to be SCADA or other more advanced applications.

The problem is in managing all these decoys. Most of these open-source projects are just running one or two protocols, so you will need your own honeypot army to cover the range of internet services that most modern enterprises use to deliver their applications. Also, each open-source project has its own notification and monitoring scheme, which can be daunting to manage if you are running many different ones across your network.

Once you get serious about deception, you’ll need a solid layer of automation. Ideally, you would like a tool that could automatically discover your existing network resources, assemble a series of decoys that mimics what you have running, and then keep track of what happens to these decoys and report on who reaches out to touch them. What makes a honeypot so compelling is that no real user should ever be seen there: Anyone stopping by is someone who shouldn’t be on your network.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.