It’s strange. The concept of a “honeypot” is well known (an isolated and monitored server that appears to be a high value target, drawing attackers away from the real assets).
Yet, it’s not a word you see a lot when reviewing cybersecurity best practices.
Is it because of how characters like Elliot on “Mr. Robot” (the USA Network series) make it look like only a genius could program it? Or does it look like something only an organization with top-secret clearance would need?
Regardless of the “why?” the fact remains that a honeypot should be one of any organization’s top go-to’s for cybersecurity, along with firewalls, anti-virus programs, and all the other usual suspects.
“We asked attackers on both sides of the law what really scares them,” says Sensato CEO and cybersecurity expert John Gomez. “It wasn’t intrusion detection or firewalls, because they can get around those. One thing that does scare them is honeypots. They know they can be hard to spot and if they touch one, they’re caught.”
1. You can have the joy of turning the tables: The “fun” part of installing honeypots is that you get to flip the script on your attackers. While they’re safely contained in a honeypot, you can sit back and watch their exploits. You can study their tactics, using that information to strengthen your defenses. Then, you can counter-attack. Sweet!
2. You can spot a breach faster: Honeypots with built-in breach detection alarms can quickly send out alerts so your team can mobilize, analyze, and cut off any further access.
3. It doesn’t have to be DIY: You don’t have to be the expert in all things, and you certainly don’t have to write the code yourself (a la Elliot/Mr. Robot). A good cybersecurity partner can help you assess your assets, recommend placement of honeypots, handle the integration, and provide the monitoring.
“We already know from past experience that one of the first things cyber attackers will do is scan the network, cataloging everything on it so they know what to target and how,” says Gomez. “So, honeypots offer a critical line of protection as well as a source of incredibly powerful information.”
A prime example: a cybersecurity group recently set a honeypot that looked like a major energy provider’s network. When it was breached, the attackers didn’t use malware; they used standard capabilities built into modern operating systems. So, if the breached “network” had not been a honeypot, the attackers could have stayed in the system without detection indefinitely.
Early intrusion detection: The average attack takes 14 minutes. When your organization is under attack, every second counts. While you can get a BDA solution separately, having it integrated into your honeypot/s is critical. A honeypot solution that includes BDAs, even better. Ask your cybersecurity partner if your honeypots can be connected to their ops center for best coverage and response.
Forensic collection: More than just alerting you to an intrusion, a honeypot allows you to monitor and track the attackers’ activities. You want a honeypot that gives you full transparency, along with the ability to turn your forensic analysis into action.
Counter-attack: Using forensic analytics, a good honeypot should give you tools for responding to the attack. Because of the speed and ferocity of cyber attacks, your honeypot should provide automated counter measures, as well as machine learning or even AI capabilities.
Integration: You can’t expect all your people to work together if your tools don’t work together. Look for a solution that provides a single view of everything on your security system and allows you to manage your entire organizational readiness from one screen in real time.