Consider a situation where an attacker has gained access to your network. They punched through your firewall, circumvented your DMZ, evaded your SIEM (don't get us started on the fallacy of a SIEM), folded in with your overall behavioral norms, and is now slowly, patiently, and methodically cataloging your assets, determining patch levels, exploiting vulnerabilities. What tool in your arsenal would give you one last fighting chance before they elevate, exfiltrate, and hold your data for ransom?

Before we get to that answer, here is another interesting question you might want to ponder. What one tool, technology, or practice does a covert attacker fear most? In other words, is there something you can deploy that an attacker truly hopes you will not deploy? Interesting question, don't you think?

The answer to what scares an attacker and what tool would give you a last line of defense is the same—a Honeypot.

Honeypots.

There are undoubtedly many myths surrounding honeypots, and maybe that's why they are not as common as other cybersecurity solutions. Yet, these little gremlins are possibly one of the most effective tools you can embrace for your network security.

A well-designed honeypot will detect zero-day attacks, and they will alert regardless of the attacker's desire to be covert or the TTP that they employ. When we spoke to attackers, the number one answer to what they feared encountering on a network the most was a honeypot, especially a Level I honeypot.

A Level I honeypot is designed to alert upon interaction. This means that it is more like a mouse-trap than a stick-trap. The goal of a Level I honeypot is to raise an alert immediately. Unlike Level II and III honeypots, the Level I honeypot does not provide a platform for studying the attacker. The Level I honeypot wastes no time in evaluating the TTP; it simply reacts to any interaction. This immediate cause and effect are why honeypots are such a powerful tool in your arsenal and why attackers fear encountering them.

Think of a situation where an attack evaded every other defense. As we outlined earlier, the attacker is now moving through your network. How they are moving, what tools they are using, really doesn't matter. It doesn't even matter what they are targeting or what vulnerabilities they are trying to exploit. At the moment, I would venture to guess that what you care most about is knowing there is someone doing something that they should not be doing.

A Level I honeypot is designed to address that objective. It does not care about why, how, or what an attacker is doing. It simply cares that someone has interacted with it, and it raises an alert. Often that alert could be the sole voice on your network that gives you the insight you need to take action and fight back.

Honeypot Deployment and Cost

Two concerns about honeypots that are cited are deployment and cost. Regarding deployment, all-too-often people believe that a honeypot is only meant to be deployed to the open internet. If your goal is to perform research, then deploying honeypots on the open internet may make sense. For our purposes, to identify anomalous activity when all else fails, we recommend deploying honeypots on your internal network.

Regarding the cost of honeypots, your mileage may vary. We do not believe you should deploy honeypots to mimic assets on your network. If you deploy this in a real-world environment, even using an open-source solution, your management costs alone could skyrocket. Instead, we recommend deploying a "catch-all" Level I honeypot that is not meant to mimic a specific asset. This vastly increases your chances of identifying an attacker and becomes much easier to manage.

Because we believe that everyone should have access to deception technology, we are offering 50% off a package of honeypots. You’ll get Five Honeypots + training for $4,999 (typically $10,000). You can request a meeting here to discuss your honeypot needs, or reach out to us at info@sensato.co.