The Joys of Honeypotting

Honeypot

Time to talk about one of my favourite concepts in cyber security- Honeypots. I don’t know why, but the idea of honeypotting an attacker has always held a special place in my mind, as a method to attack the attacker.

But first, some term clarifications.

Honeypot : a decoy system intentionally designed to look like a legitimate target within the organisations network. Think Server workloads, Applications.

Honeynet: Is a network of connected Honeypots that mimics how a real segment or cluster of applications or workloads would to an attacker.

That’s some basics for you. Next you need to consider what the aim of the honeypot is, and this broadly falls into two categories:

Corporate Honeypot– Set this up to mimic your corporate environment with the aim of studying attacks and being alerted to an attack.

Research Honeypot – Used by researchers to study attack methods and create defences based on this.

At their core, Honeypots all use the same technique, they lure attackers to them like a moth to a flame. By doing this, it allows the defenders to see the attackers and learn their techniques. But perhaps the most important part of any honeypot, is that once an attacker engages it, the defenders are alerted to their presence. In cyber security, this single piece of information alone can have massive impact, as it helps alleviate alert fatigue. A confirmed attacker, regardless of technique, is the first piece of information you need in defending.

With this in mind, Honeypots are an ideal method for detection (if done right). They are typically simplified environments and at their core they are set to a very controlled environment that abnormalities are easily monitored for and spotted. So why aren’t they used that often? There are a few reasons:

  • They are difficult to setup, can be costly to maintain
  • They potentially create additional attack surfaces to be exploited
  • They may have raise some Legal or ethical concerns

These are all valid reasons for why organisations do not employ them as much as they perhaps should. Ultimately the idea typically gets put in the nice to have, but too hard basket.

However, one of the advantages the Innoculator approach of using Virtual Patching brings to a user is that you gain some of the advantages of a honeypot approach whilst increasing your security posture for unpatched software. Why? When an attacker is looking over your infrastructure and planning their next step (Lateral Movement), part of their process will be identifying unpatched servers/ workloads/ software that they can easily exploit. When they do this they will still see those unpatched vulnerabilities which will be an enticing prospect for the attacker. However, when they try and exploit it, Innoculator will not only block and alert you to the attack, but you now know there is an attacker internally.

So by effectively using Innoculator to virtually patch your unpatched systems (and Legacy applications), you are turning these into a Corporate Honeynet.