- Honeypot network security plays an interesting role in the modern enterprise.
- There are many different products available within this space.
- Follow our tips to learn how to choose the right kind of deception product for your business.
The original idea behind honeypot security was to place a server on some random Internet link and sit back and wait until some hacker happened by. The server’s sole purpose would be to record the break-in attempt — it would not be part of a normal applications infrastructure. Then a researcher would observe what happened to the server and what exploit was being used. “A honeypot is essentially bait (passwords, vulnerabilities, fake sensitive data) that’s intentionally made very tempting and accessible. The goal is to deceive and attract a hacker who attempts to gain unauthorized access to your network,” says this post on Varonis’ blog.
The practice is more than two decades old and over that time period, a number of vendors have gotten into this corner of the market. These vendors provide specialized deception services and extend the honeypot concept beyond passive listening to more active security measures. Let’s look at this evolution and show you how you can use deception to improve your own enterprise security.
Honeypots thrive because the Internet is being used so frequently by hackers to try to penetrate your network. A few years ago, the researcher Doug Rickert began experimenting with the open-source Cowrie SSH honeypot. He documented an average of at least 200 daily hacking attempts, a few of which were more serious attempts to enter his network. And recently, researchers set up a honeypot network and it got filled with ransomware and other malware within days. What was interesting about this latter honeypot was that it mimicked an electrical company with operations in North America and Europe to make it more enticing for hackers. It worked.
Honeypots Typically Have Two Goals
- Reduce the dwell time of any attacker or malware on your network. This allows you to detect and close any breach as quickly as possible. The faster you are notified about an attacker roaming your routers, the better.
- Complement your network protection tools and find any gaps in them that hackers can exploit. The key word in this sentence is “complement.” Honeypots shouldn’t be your only security solution, and they should work with your existing gear to find these gaps.
Think of it this way: if firewalls are the door locks to prevent access, honeypots are the motion sensors that are inside your home to detect intruders who have managed to pick your locks or find an open window.
In the past several years, the concept of honeypots has been extended to what the vendors now call “deception solutions.” Rather than running a simple automated utility on a single PC instance, these tools deploy large numbers of them and configure the honeypots to match precise specifications and mimic particular specialized applications. The more complex products also do other jobs to make their operations appear as realistic as possible to lure potential hackers and simulate a complete business network running multiple applications, such as customer billing systems and employee databases.
Different Types of Honeypots
Over the years there have been specialized types of honeypots, including:
- Honeynets, which are entire networks composed of honeypot servers.
- Email traps, which contain fake email addresses that are only used to snare hackers. This is probably one of the earliest known uses of honeypots, as documented by Cliff Stoll in his book The Cuckoo’s Egg.
- Malware honeypots that initially don’t contain any malware but are configured to be attractive for hackers to deposit malware on them, such as the fake electric utility example cited earlier. These could also be called high-interaction honeypots that are designed to keep hackers busy exploring the honeypot and extract more intelligence about their intentions and identity.
- Honeyclients, which are unpatched web browsers typically running ancient versions that are hunters rather than lures — these tools actively seek out dangerous sites and locate browser-based attacks. These older browser versions are examples of vulnerabilities that you should stamp out by requiring your end-users to keep their browsers up to date.
The best honeypots will be very realistic copies of real systems, with the same warning messages, the same data fields and the same look and feel of your actual production applications. The only difference is that they use fake data.
How to Buy a Honeypot Solution
We have put together a table of the leading commercial honeypot/deception vendors below. Here are a few other suggestions on how to find the right product that meets your needs.
- Focus on price points first, to match your budget and your expectations. Some products charge per subnet or per endpoint, others have site licenses. Most have free trials after you register your interest. If the price points on the commercial tools are daunting — or if you don’t want to reveal your interest to a vendor’s sales team — you can find numerous open-source projects besides Cowrie in this list here, including the original Honeyd to emulate MongoDB and NoSQL honeypots.
- Examine the level of automation offered in terms of deploying and reconfiguring the network of decoys and honeypots. When you change your actual network configuration, ideally your deception network should mimic these changes. Ideally, this automation should reduce the time to deploy your decoys and get things up and running, as well as make your decoys more realistic so they’re more useful.
- Understand that every product will create false positives. Ideally, you want this number to be as low as possible, so you aren’t chasing down phantom breaches. Still, most honeypots have lower false-positive rates than the typical intrusion detection system.
- Know what reports and alerts will come from these systems, and how you will integrate them into your existing network or security operations command centers, log analyzers or other management tools.
Honeypot Network Security Products and Services
|Product/URL||Main Features||Pricing (Where Disclosed)|
|Acalvio ShadowPlex||Cloud-based decoy delivery of a variety of different types.||Not disclosed.|
|Attivo||A variety of tools including decoy botnets, cloud-based network and endpoint protection and playbook management.||Per endpoint.|
|Bad Packets||A global network to detect botnets and malware, including Mirai.||$50-$500/month.|
|Countercraft||Automated distributed decoys.||Not disclosed.|
|Cymmetria MazeRunner||Very specific honeypots to emulate Cisco ASA, Oracle CVEs which are deployed as VMs.||Not disclosed.|
|Fidelis/TopSpin Deception||Connects to span port to automatically profile a network, places breadcrumbs on real assets as lures.||Starts at $35,000 for 32 vLANs, runs on-prem, in the cloud or MSP.
|Illusive Networks||Wide variety of decoys, including network, systems, apps and data.||$60/user/year but varies depending on number of endpoints.|
|SafeBreach||Orchestrate typical attack patterns.||Not disclosed.|
|Smokescreen Illusion Black||Hundreds of decoys centrally managed across various types: servers, endpoints and networks.||Starts at $200,000.|
|Thinkst Canary||Different profiles to mimic real servers, centrally managed.||$7,500/year for five licenses.|