While a lot of work, honey pots are one of the most effective ways of pre-empting serious security breaches.
Honey pots — lures full of tempting information designed to catch intruders — can give data center security professionals insight into what attackers are looking for and what tools and techniques they’re using.
Plus, a good honey pot has no false negatives. If it catches someone, you know they’re up to no good and your networks have been infiltrated.
“Some of the things that people do are very clever and crafty, and they can be great little infinite loops for attackers to fall into,” said Neil Weitzel, director of security research at Cygilant. “And others are just noisy solutions to make sure that people go there first.”
A honey pot can also serve as an early warning system for a data center, providing a heads-up about new attacks, he said.
For example, security teams can grab the IP addresses the attacks are coming from and block those addresses from the rest of the environment, said Stephen Coty, chief security evangelist at Alert Logic.
Similarly, if the attackers are using a new type of exploit or malware in the honey pot, a company can make sure that protections are in place.
“That’s good, useful information in helping to protect the rest of your environment,” he said.
Coty said that he’s often seen honey pots in large public data centers or service providers. But they’re less common in smaller and private data centers, he said.
Setting up honey pots can be very time consuming and expensive and take specialized skills.
“Sophisticated hackers will go for specific targets in the environment,” said Israel Barak, CISO at Cybereason. “There’s no rationale for just moving into things just because they seem vulnerable.”
That makes the job of building honey pots even harder.
“Honey pots need to be built in a matter that weaves them into the day-to-day operational fabric of the infrastructure, not something that sits to the side and pretends to be vulnerable,” he said.
Where honey pots do make sense is for security researchers who are constantly on the lookout for new attack vectors, malware, and evasion techniques.
Plus, companies usually have plenty of other, more basic security-related tasks to take care of first.
Instead of full-scale honey pots, Barak suggests using scaled-down lures.
One alternative is to use bait files, individual documents with tempting titles located in strategic places but invisible to normal users. If someone tries to open, encrypt, or exfiltrate them, that’s a sign that there’s an attack going on.
“That process needs to be terminated immediately, because there’s no legitimate use of these files,” he said.
“You’re basically creating a whole other environment that tries to look like your regular environment,” said Alton Kizziah, VP of global managed services at Kudelski Security. “It’s a lot of work, and you have to keep the systems updated to keep them looking like they’re real.”
A cheaper, more light-weight approach to accomplishing the same goals is deception technology, which is part of the actual technology environment. It doesn’t require the creation and management of separate fake networks, servers, and endpoints, so it’s easier to deploy and keep up to date, said Kizziah, whose company makes a deception product.
Not only is the false-positive rate extremely low, he said, but deception works even if the attacker suspects that they’re being played.
“It makes them start taking their time trying to figure out what’s real and not and causes them to slow down,” he said. “It’s a win, because you have more time to detect them.”
For companies that don’t have the bandwidth to set up even a scaled-back deception system, there are vendors that offer deception as a service.
EventTracker’s HoneyNet, for example, is designed for small and mid-market enterprises.
“Technology is only 15 percent of what you need,” said A.N. Ananth, CEO at EventTracker. The rest is people and time.
“Without services, most enterprises cannot get to the outcomes they want from a deception network,” he said.