The original idea behind honeypot security was to place a server on some random Internet link and sit back and wait until some hacker happened by. The server’s sole purpose would be to record the break-in attempt — it would not be part of a normal applications infrastructure. Then a researcher would observe what happened to the server and what exploit was being used. “A honeypot is essentially bait (passwords, vulnerabilities, fake sensitive data) that’s intentionally made very tempting and accessible. The goal is to deceive and attract a hacker who attempts to gain unauthorized access to your network,” says this post on Varonis’ blog.
The practice is more than two decades old and over that time period, a number of vendors have gotten into this corner of the market. These vendors provide specialized deception services and extend the honeypot concept beyond passive listening to more active security measures. Let’s look at this evolution and show you how you can use deception to improve your own enterprise security.
Honeypots thrive because the Internet is being used so frequently by hackers to try to penetrate your network. A few years ago, the researcher Doug Rickert began experimenting with the open-source Cowrie SSH honeypot. He documented an average of at least 200 daily hacking attempts, a few of which were more serious attempts to enter his network. And recently, researchers set up a honeypot network and it got filled with ransomware and other malware within days. What was interesting about this latter honeypot was that it mimicked an electrical company with operations in North America and Europe to make it more enticing for hackers. It worked.
Think of it this way: if firewalls are the door locks to prevent access, honeypots are the motion sensors that are inside your home to detect intruders who have managed to pick your locks or find an open window.
In the past several years, the concept of honeypots has been extended to what the vendors now call “deception solutions.” Rather than running a simple automated utility on a single PC instance, these tools deploy large numbers of them and configure the honeypots to match precise specifications and mimic particular specialized applications. The more complex products also do other jobs to make their operations appear as realistic as possible to lure potential hackers and simulate a complete business network running multiple applications, such as customer billing systems and employee databases.
Over the years there have been specialized types of honeypots, including:
The best honeypots will be very realistic copies of real systems, with the same warning messages, the same data fields and the same look and feel of your actual production applications. The only difference is that they use fake data.
We have put together a table of the leading commercial honeypot/deception vendors below. Here are a few other suggestions on how to find the right product that meets your needs.
Honeypot Network Security Products and Services
|Product/URL||Main Features||Pricing (Where Disclosed)|
|Acalvio ShadowPlex||Cloud-based decoy delivery of a variety of different types.||Not disclosed.|
|Attivo||A variety of tools including decoy botnets, cloud-based network and endpoint protection and playbook management.||Per endpoint.|
|Bad Packets||A global network to detect botnets and malware, including Mirai.||$50-$500/month.|
|Countercraft||Automated distributed decoys.||Not disclosed.|
|Cymmetria MazeRunner||Very specific honeypots to emulate Cisco ASA, Oracle CVEs which are deployed as VMs.||Not disclosed.|
|Fidelis/TopSpin Deception||Connects to span port to automatically profile a network, places breadcrumbs on real assets as lures.||Starts at $35,000 for 32 vLANs, runs on-prem, in the cloud or MSP.
|Illusive Networks||Wide variety of decoys, including network, systems, apps and data.||$60/user/year but varies depending on number of endpoints.|
|SafeBreach||Orchestrate typical attack patterns.||Not disclosed.|
|Smokescreen Illusion Black||Hundreds of decoys centrally managed across various types: servers, endpoints and networks.||Starts at $200,000.|
|Thinkst Canary||Different profiles to mimic real servers, centrally managed.||$7,500/year for five licenses.|