September 17, 2018
|
4 minutes

Three Reasons Why Honeypots Should be on Your Cybersecurity Menu

Honeypots offer fast breach detection, forensics, and sweet, sweet counter measures. That’s why they’re the one thing cyber attackers fear and CISOs should be sure to include in the cybersecurity mix.

Takeaways:

  • You can catch cyber attackers, watch their activity, and use it against them
  • You can spot a breach faster
  • You don’t have to DIY to get an integrated, scalable solution

It’s strange. The concept of a “honeypot” is well known (an isolated and monitored server that appears to be a high value target, drawing attackers away from the real assets).
Yet, it’s not a word you see a lot when reviewing cybersecurity best practices.
Is it because of how characters like Elliot on “Mr. Robot” (the USA Network series) make it look like only a genius could program it? Or does it look like something only an organization with top-secret clearance would need?

The Security Operations Center should be part of your team. Learn more.

Regardless of the “why?” the fact remains that a honeypot should be one of any organization’s top go-to’s for cybersecurity, along with firewalls, anti-virus programs, and all the other usual suspects.
“We asked attackers on both sides of the law what really scares them,” says Sensato CEO and cybersecurity expert John Gomez. “It wasn’t intrusion detection or firewalls, because they can get around those. One thing that does scare them is honeypots. They know they can be hard to spot and if they touch one, they’re caught.”

Three reasons why honeypots should be on your cybersecurity menu

1. You can have the joy of turning the tables: The “fun” part of installing honeypots is that you get to flip the script on your attackers. While they’re safely contained in a honeypot, you can sit back and watch their exploits. You can study their tactics, using that information to strengthen your defenses. Then, you can counter-attack. Sweet!

  • Tip for creating effective honeypots: Don’t cheap out! Attackers will smell a rat if they see a different type of server. Make sure each honeypot “looks” like the rest of your system.

2. You can spot a breach faster: Honeypots with built-in breach detection alarms can quickly send out alerts so your team can mobilize, analyze, and cut off any further access.

  • Tip for getting a good return on your honeypot investment: Decide in advance what type of data you want to capture and how you want to use it. This will help you and your cybersecurity partner target exact placement and types of honeypots.

3. It doesn’t have to be DIY: You don’t have to be the expert in all things, and you certainly don’t have to write the code yourself (a la Elliot/Mr. Robot). A good cybersecurity partner can help you assess your assets, recommend placement of honeypots, handle the integration, and provide the monitoring.

  • Tip for getting the most out of the data captured: Make sure all data captured by your honeypots is streamed to your existing IT security systems.

“We already know from past experience that one of the first things cyber attackers will do is scan the network, cataloging everything on it so they know what to target and how,” says Gomez. “So, honeypots offer a critical line of protection as well as a source of incredibly powerful information.”

Learn more about the attacker’s perspective, and how to use it to gain the advantage.

A prime example: a cybersecurity group recently set a honeypot that looked like a major energy provider’s network. When it was breached, the attackers didn’t use malware; they used standard capabilities built into modern operating systems. So, if the breached “network” had not been a honeypot, the attackers could have stayed in the system without detection indefinitely.

What should you demand in a honeypot solution

Early intrusion detection: The average attack takes 14 minutes. Whenyour organization is under attack, every second counts. While you can geta BDA solution separately, having it integrated into your honeypot/s iscritical. A honeypot solution that includes BDAs, even better. Ask your cybersecurity partner if your honeypotscan be connected to their ops center for best coverage and response.

Forensic collection:  More than just alerting you to an intrusion, a honeypot allows you to monitor and track the attackers’ activities. You want a honeypot that gives you full transparency, along with the ability to turn your forensic analysis into action.  

Counter-attack: Using forensic analytics, a good honeypot should give you tools for responding to the attack. Because of the speed and ferocity of cyberattacks, your honeypot should provide automated counter measures, as well as machine learning or even AI capabilities.
Integration: You can’t expect all your people to work together if your tools don’t work together. Look for a solution that provides a single view of everything on your security system and allows you to manage your entire organizational readiness from one screen in real time.

Integration: You can’t expect all your people towork together if your tools don’t work together. Look for a solution that provides a single view of everything on your security system and allows you to manage your entire organizational readiness from one screen in real time.

Knowledge is power. Learn how to harness it here.

SOC Myths & Fallacies: Why Do Most Security Operations Centers Fail?
Over the course of a year long investigation, we interviewed CIO, CISO, managers, security analysts, security engineers and compliance officers. Find out what we learned.
Self-Defense & Cyberwar
As someone who may be responsible for protecting a network, facilities or people, the evolution of cyberweapons and your rights to defend yourself will become a rather critical aspect of your strategies in the coming years.