No honeypot? Don’t bother calling yourself a security pro

I’m constantly amazed by how many companies don’t bother running honeypots, despite evidence that they’re incredibly high-value, low-noise defense assets.

A honeypot is a computer software or device that exists simply to be attacked. You can take any computer — typically one you’re getting ready to decommission because it’s old and underpowered — and use it as a honeypot. Because it’s no longer a legitimate production asset, no person or service should be connecting to it. When something (such as a hacker or malware) connects to it, the honeypot sends an alert that can trigger an immediate incident response.

Honeypots are excellent early-warning systems. After a little fine-tuning, they’re incredibly low noise, producing few false positives — unlike firewalls or IDSes (intrusion detection systems). They can easily capture zero-day exploits, freshly minted malware, and roaming APT hackers. Honeypots are great at detecting malicious activity from both outsiders and insiders; they turn up rogue exploits the other tools miss. Best of all, they do it at very low cost with little ongoing maintenance.

Sticky business: Honeypots compared In preparing for a recent customer engagement, I had the opportunity to check out the latest honeypot technology and see how the players were doing. Unfortunately, no one appears to be getting rich developing honeypot software. Of the 30 or so projects listed by the Honeynet Project, perhaps 90 percent are dead or headed in that direction. That’s the bad news.

Glastopf is a low-interaction, open source honeypot that emulates a vulnerable Web server. Running on Python, PHP, and MySQL, Glastopf can emulate literally thousands of vulnerabilities and is intended to be Web crawled, a recognition that today’s attackers frequently use search engines to find innocent websites to infect. Glastopf has GUI management and reporting features, and it’s actively maintained and updated.

Specter, a commercial honeypot, hasn’t been updated significantly in years, but it’s still actively sold and supported. It’s GUI-based and has a few interesting features (it updates its own content, has “marker” files that can be used to trace hackers, and more) that make it a honeypot to check out.

I also like the free USB emulation honeypot known as Ghost USB. It mounts as a fake USB drive to enable easier capture and analysis of malware that uses USB drives to replicate. It could come in very handy during the next USB worm outbreak.

But my favorite commercial honeypot, KFSensor, still leads the way by a large margin. It’s easily the most feature-rich and mature honeypot product out there. Its developer continues to add new features, and while this post isn’t an official Test Center review, I can’t find anything else that holds a candle close to it. If you want a great commercial honeypot product with enterprise features, KFSensor is it.

Just deploy it If you’re not running a honeypot, now’s the time. I can tell you from experience: They work. I’ve never installed a production honeypot that failed to catch some malicious behavior or software within a few days. If you’re worried about zero days, APT hackers, or rogue insiders, you can’t beat honeypots as a solid early-warning defense.

I don’t care how well the malware is written or how good the hacker is — a malicious actor moving laterally in a network is going to have to at least touch boxes. With a few honeypots deployed in strategic places, it’s a lot easier to ferret out the bad guys and their rogue software.

If you’re not running one and you claim to care about security, what’s your excuse?