Honeypots can divert malicious traffic from critical systems, detect attacks before they reach critical systems, and collect attack intelligence without exposing actual data. They can be used to identify attacker tools, tactics, and procedures (TTPs) and gather forensic and legal evidence. However, not all honeypots are created equal. Choosing the right honeypot solution for your organization depends on several factors.
Low-Interaction Honeypots
Depending on the attack patterns IT teams want to observe, many types of honeypots exist. A low-interaction honeypot mimics an actual computer system and lures cybercriminals into attacking it. It does this by deploying applications and data that emulate services attackers frequently target. A low-interaction honeypot can include everything from a web server to an SQL server, or it can be more complex and simulate an entire operating system, such as Honeyd. Low-interaction honeypots do not replace prevention techniques, but they offer valuable intelligence. They can reveal adversaries’ tactics and help organizations adapt existing security protocols. They can also identify the presence of malware, often missed by prevention systems. By identifying malicious activity, companies can react quickly to stop breaches in progress. Another benefit of low-interaction honeypots is that they are less likely to be spoofed by sophisticated attacks. This is because they are not as distinguishable from a production system, making them less attractive to advanced adversaries.
Medium-Interaction Honeypots
To ensure a positive ROI on the time and resources needed for a honeypot solution, the solution must capture enough quality incidents to make it worthwhile. Ideally, we want to see an incident rate of 1 or higher – meaning that for every hour you invest in the system, you will likely uncover at least one quality incident. To achieve this, many organizations deploy medium interaction honeypots, known as “simulators” or “strategy honeypots.” These solutions offer more interactions to the attacker than a low-interaction honeypot but still less than a high-interaction honeypot. Medium interaction honeypots typically simulate a limited number of network services and implement enough Internet protocols to allow the hacker to interact with them. As a result, they are more likely to capture the kind of advanced activity typically only seen on natural production systems – from new rootkits to international IRC sessions. However, they are generally more challenging to set up and operate than low-interaction honeypots. Deploying a blend of low and medium-interaction honeypots is recommended – which can be used to collect basic information on threat types from low-interaction honeypots and to gather more in-depth intelligence on the nature of sophisticated threats, their communication, and their intentions from medium-interaction honeypots. This approach is beneficial for detecting mass network scanning, identifying compromised internal hosts, and tracking malware propagation.
High-Interaction Honeypots
These honeypots lure attackers deeper and capture intelligence on sophisticated attack techniques. They use natural operating systems and applications, not simulated ones. Large enterprises and cybersecurity research teams use these honeypots to learn about attackers’ attacks. These systems are often configured to look like various databases and enterprise information services and may also contain data that is meant to be confidential. This allows security researchers to observe the attackers as they interact with the system and can lead to the identification of various vulnerabilities that could be exploited. This type of honeypot can be a very effective solution for detecting malicious activity, diverting it away from critical systems, or simply collecting forensic and legal evidence without risking the integrity of an organization’s production environment. They are also relatively inexpensive to deploy compared to other solutions. They can be deployed with minimal hardware requirements or even by using old computers repurposed for the purpose. However, before you choose this type of solution, it’s essential to consider your ROI. Consider how many quality incidents your solution uncovers each month and how much time you invest in its management. If it takes too long to find a single incident, the solution is probably not worth the investment.
Conclusions
Low-interaction honeypots mimic vulnerable services and enticing attack scenarios without exposing a natural operating system to an attacker. As such, they are designed to lure attackers and malware into a simulated environment that cannot be exploited fully, thus protecting natural systems in the network. These emulators offer limited access to an attacker but can capture attacks and their resulting information with minimal deployment effort, cost, risk, and management complexity. A good low-interaction honeypot can look so authentic to an attacker that they will be tempted to attack it. Once they do, the decoy can gather helpful intelligence about an attacker, including their tools, tactics, and techniques. Honeypots can also be deployed to detect malware propagation and provide alerts about known threats. However, if a honeypot is targeted with a fingerprinting attack, it may be possible for an attacker to identify that it is not real. This may cause them to move on to attacking other production systems. It is, therefore, essential to deploy a honeypot solution that looks as realistic as possible and to ensure the honeypots are only configured to respond to specific attack patterns. This will reduce the risk of a false alarm while increasing the chances of capturing unknown vulnerabilities. This will allow security teams to identify new tools and tactics that they have not seen before.
