Placing an extra, minimally configured (except for logging remotely) VM onto each hypervisor (configured for the absolute minimum of resource usage) that only accepts connections from other machines on the same hypervisor can provide a simple way of gaining more visibility into events that never leave the server.
With many security controls still requiring to be deployed in-line on physical networks, activities inside the hypervisor that never leave the virtual switch can go unnoticed for some time. A honeypot system that merely reports what happens to it, and then is rolled back to a default state every hour or so, can provide easy early-warning on attempts by intruders to migrate from systems to system within the same hypervisor.
4. The imaginary administrator - Spearphishing requires information about who to target for maximum effect at malware delivery. To a spearphisher, obtaining the contact details of someone with elevated network access (and additional information with which to social engineer them into clicking links) is the prime goal in any campaign.
Creating a non-existent person on the internet is easy these days - perhaps in the recesses of your public website you can make mention of a fictional administrator of your two-factor authentication system, provide contact details for them, and set up an email inbox - then take a close look at everything coming in to that account and cross-reference with who else in the organization receives email with the same content, originating host, etc.
Doing this effectively is an art in itself however, but there are many organizations that are high profile targets for spear phishing attacks using methods such as this to rapidly identify when and where their employees are being targeted.
5. The ghost page - A honeypot does not have to be an entire system, sometimes content itself can perform the job - especially if it is content that a normal user would never discover. Most web vulnerability scanning tools will access a list of common locations for forms in known-vulnerable web applications.
While common Intrusion Detection systems will detect these (and a good SIEM correlation ruleset can look for these URIs in the logs from the webservers themselves), there is a missing piece of the puzzle here - the webserver will report '404 not found' to these pages - and the scanner moves on to the next system. But what if the webserver reported with Error 500 - indicating that the page is present, but a server-side error has occurred? Our attacker may stay focussed on this one system (wasting their time and effort) and providing us with much more information. (a technique often referred to in other contexts as 'tarpitting').
These honeypot methods, while all cheap to build and deploy, and requiring little additional analysis to make the intelligence they generate useful, are merely the tip of the iceberg of the art and science of building effective honeypot systems. There are few organizations making extensive use of honeypot deployments and those that do are mature enough that they tend toward the more complex installations.
This has led to the intimidation factor for many organizations to forego the use of honeypots as a security monitoring control. However, there are many levels of sophistication with this technique and a company does not have to implement something massively complex, to still obtain valuable information.
The use of honeypots, like everything in information security, is always evolving and the technique has a lot of potential to disrupt attackers by wasting their time and resources, directing them away from their true targets and forcing them to reveal themselves.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.