Commercial and open source honeypot tools are now effective deception solutions. Here's what you need to know before implement them. Credit: Marcobeltrametti (Own work) Honeypots are once again in the news. If you stopped by the Watchguard booth at last month’s RSA Conference in San Francisco, chances are good that you connected with one of its Wifi hotspots. Those hotspots were there to log how many people would try to connect to an open network. Watchguard found that the average length of time spent connected was more than enough to compromise the connection. Recently, researcher Doug Rickert has been experimenting with the open source Cowrie SSH honeypot, writing about it on Medium. He found an average of at least 200 daily attempts, a few of them from serious hackers who tried to penetrate his honeypot further.The attention is well-deserved, as honeypots can be useful for a wide variety of purposes. They can help locate attackers quickly, provide a new way to automate more offensive cyber security measures, and can be useful even for smaller enterprises that don’t have their own security operations centers or a large IT staff. Now they have been rebranded as cyber deception solutions, sometimes referred to as honeynets.Setting up a honeynet as a deception solutionPutting up a simple honeypot isn’t difficult, and you can find numerous open source products besides Cowrie, including the original Honeyd to MongoDB and NoSQL honeypots to ones that emulate web servers. Some even appear to be SCADA or other more advanced applications.The problem is in managing all these decoys. Most of these open-source projects are just running one or two protocols, so you will need your own honeypot army to cover the range of internet services that most modern enterprises use to deliver their applications. Also, each open-source project has its own notification and monitoring scheme, which can be daunting to manage if you are running many different ones across your network. Once you get serious about deception, you’ll need a solid layer of automation. Ideally, you would like a tool that could automatically discover your existing network resources, assemble a series of decoys that mimics what you have running, and then keep track of what happens to these decoys and report on who reaches out to touch them. What makes a honeypot so compelling is that no real user should ever be seen there: Anyone stopping by is someone who shouldn’t be on your network.Deception network goalsThe goal of these deception networks is threefold: Reduce the dwell time of any attacker or malware on your network. This allows you to detect and close any breach. The faster you are notified about an attacker roaming your routers, the better. As hackers are getting more adept at hiding in plain sight, using fileless malware and polymorphic techniques that don’t leave many fingerprints behind, you want more sophisticated methods to find them. The deception products all claim a very low false-positive rate, so when they alert you to something fishy, you will know it requires you to take appropriate action. This can be appealing for smaller IT shops that don’t want to build out a 24/7 security monitoring center of their own. IllusiveSample report showing alerts from the Illusive deception toolComplement your network protection tools and find any gaps in them. Having a series of honeypots spread around your network helps find these wormholes so you can beef up your security accordingly and so you can use their results for more defensive intelligence as well. Some enterprises use deception tools to help train their red teams’ searching abilities.Reduce the time to deploy your decoys and get things up and running. You don’t necessarily have the skills, time, or resources to do it yourself. Some tools have very realistic decoys and a wide range of decoy types, including ATM terminals and SCADA controllers, all to appear more like real running computers. For example, TrapX has a wide range of sandbox support integration includes Cisco AMP Threat Grid, McAfee ATD, Palo Alto Networks WildFire, ThreatTrack, and Cuckoo.The more realism, the better at trapping and keeping a hacker engaged for a long time. Why is this important? Because then you can obtain more forensic data on who is penetrating your network and the methods that they use. This is why some tools come with their own forensics package or other analysis engines.Honeypot typesIdeally, a deception network should include all four of the following honeypot types, what one vendor calls “deception in depth”:Pure systems that are running the actual operating systems and have special taps to monitor interactions.High-interaction honeypots that typically make use of virtual machines (VMs) or other emulations.Low-interaction honeypots that use more bare-bones VMs and are designed to only simulate a particular aspect of a resource or server.Breadcrumbs or lures, which are copies of files, credentials stored in particular memory locations, or registry keys that try to simulate what is normally found on a real user’s machine, often used as bait.CSOonline tested four professional-grade deception services about a year ago: TrapX Security, Cymmetria, Illusive Networks, and TopSpin Security. Since then, TopSpin has been acquired by Fidelis and the product folded into its Deception line. See the table below for a breakdown of other deception products. download Honeynet products and servicesCSOTips for purchasing a honeynet product as a deception toolFocus on price points first, to match your budget and your expectations. Some products charge per subnet or per endpoint, others have site licenses. Most have free trials after you register your interest. You’ll notice that the pricing column in the table is relatively sparse, and what pricing we could ferret out ranges all over the map. Some vendors declined to provide pricing information. Examine the level of automation offered in terms of deploying and reconfiguring the network of decoys and honeypots. When you change your actual network configuration, ideally your deception network should mimic these changes.Understand what reports and alerts will come from these systems, and how you will integrate them into your existing network or security operations command centers, log analyzers, or other management tools. While these products have low false positive rates, you still want to know what to do when you get an alert. Fidelis CybersecurityReport dashboard from Fidelis Cybersecurity Deception tool Related content news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Regulation Government news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe