- “Everything is honey
- I can’t get enough
- Of lots and lots of lots and pots
- Of sticky, licky, stuff”
-Winnie the Pooh (song lyric)
Winnie the Pooh is a seemingly naïve fictional teddy bear, but it becomes apparent that he is actually thoughtful, clever and creative. His simplicity is deceptive, and founded in common sense. So, while we tend to think of Winnie the Pooh with his hand in a jar of honey, it is really his character, not his actions, that help us understand the concept of honeypots in the information security landscape.
Honeypots are systems that are built into corporate networks to appear as legitimate and functional, but which are really designed expressly to provide warning systems to malicious intrusion, particularly in the case of malware and other automated modes of attack. The honeypot is like an old Western stage set, a system that looks authentic and is “furnished” with dummy data and services representative of the operational needs of a business. They are also ghost towns, hosting no actual users on a day-to-day basis. There is, however, a sheriff, in the form of firewall logs, system logs, and sniffers, waiting to mobilize on the day the bad guys show up for a cyber showdown.
What does that mean in a technical sense? Imagine a virtual system set up inside your firewall that is configured to look like a real network, but has no active users. When an attack occurs, your regular business systems may have so much traffic that it is difficult to spot anomalies in the many gigabytes of log files produced by dozens or hundreds of people every day. But since a honeypot is never meant to be used for typical business transactions, traffic and activity registered that is by its logs is always an exception – and is most likely malicious in its intent. The system serves as a warning system to potential activity across your network and provides data that can be specifically analyzed to help you identify and remediate a breach.
As a defense mechanism, honeypots can be invaluable, but like any other tool they need to be properly configured and maintained. There are several levels of complexity that can be applied to a honeypot system, ranging from a “low interaction” virtualized machine that is relatively easy to set up but provides limited information to a complex “high interaction” system that requires more resources to design but provides a wealth of data and is more difficult for hackers to fingerprint as a surrogate system. Both types of systems are meant to deceive the attacker into thinking that the environment is real, stay awhile as they continue to attempt to penetrate it and steal data, and, most importantly, to enable the network owner to monitor and track malicious actions of the hacker for further analysis.
“Whether creating a network ‘lure’ to identify hackers probing your corporate space or establishing an early warning and detection system to serve as the canary of your security framework, honeypots can be very valuable, says Matt Rosentrater, Master Cybersecurity Consultant at Tekkis. “By providing information about an attack, they not only have a direct benefit of informing you of an attack, but also enable clear insight on building a stronger defensive position across your ‘real’ network assets.”
As Winnie-the-Pooh discovered, it is difficult not to follow the call of the honeypots when the habit for a snack is great. Honeypots can be used as an important line of defense and detection in physical network and cloud environments. It is a relatively simple concept that yields sweet rewards in terms of easy access to and interpretation of data when a breach is identified. While it does not stand alone as a single security silver-bullet, it is part of a comprehensive toolkit for managers to employ in their cybersecurity battle. And at Tekkis, we’re always prepared to guide and support strategic and tactical initiatives across your enterprise security infrastructure, from prevention through breach detection and recovery.