Why every security-conscious organization needs a honeypot
by Corey Nachreiner - WatchGuardís Director of Security Strategy and Research - Wednesday, 27 August 2014.
Youíve probably heard the phrase about ďcanaries in a coal mine.Ē In the mid 1900s, a guy named John Haldane figured out that birds die pretty quickly when poisoned by carbon monoxide, after which coal miners started using them as early warning systems for toxic gas. We need the same for computer security. No defense is infallible, so organizations need digital canaries to warn us about poisoned networks.

When you think about the layers of security your business needs, you probably think about firewalls, authentication systems, intrusion prevention, antivirus, and other common security controls. However, I suspect few think about honeypots. Thatís a shame, as honeypots make perfect network security canaries, and can improve any organizationís defense.

As an infosec professional, youíve probably heard of a honeypotóa digital trap set to catch computer attacks in action. In essence, honeypots are systems that mimic resources that might entice an attacker, while in reality theyíre fake systems designed to contain and monitor attacks. In the same vein, a honeynet is just a collection of different honeypots.

There are many different varieties of honeypots, each designed to recognize and observe diverse types of attacks. Some catch network attacks (Honeyd), others catch web application attacks (Glastopf), and some are designed to collect and observe malware (Dionaea). You can check out The Honeynet Project for a fairly complete list of different kinds of honeypots.

These different honeypots also have varying levels of depth. For instance, a low-interaction honeypot might just emulate basic network services, perhaps only presenting a service banner and command prompt, but not offering much interaction to potential attackers (making them easier for attackers to detect). Whereas, high-interaction honeypots can imitate full server systems, tricking hackers into carrying out their attacks further, allowing you to analyze them in depth.

With all the different varieties to choose from, each with varying levels of capability, honeypots might sound a little over complicated and perhaps too cumbersome for a small organization. In fact, some of the research-focused ones are certainly overkill for anyone but security academics. However, you donít need the most complex feature-packed honeypot for our simple purpose.

A production honeypot is a relatively low maintenance system, primarily used to detect attacks (rather than fully emulate and analyze them). Production honeypots make great network canaries. Over the years, production honeypots have evolved and become much easier for the average Joe to deploy. While most honeypots began as command line Linux packages, requiring manual installation and configuration, new solutions have surfaced making these packages more user-friendly, even for Linux newbies.

For instance, lately a number of Live CD distributions have come out specifically made for honeypots and honeynets. Rather than having to install a Linux distribution (distro) from scratch, and configuring everything yourself, these live honeypot distros have everything set up and ready to go. All you have to do is boot from a USB key or spin-up a virtual machine. Best of all, these honeypot distros are free. Three great examples include: HoneyDrive, Active Defense Harbinger Distribution (ADHD) and Stratagem.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th