Honeypots are another tool in the toolbox for proactive cybersecurity leaders looking to get insight into what the bad guys are doing and help mitigate organizational risks.
In cybersecurity, we spend a lot of time focusing on preventative controls — patching vulnerabilities, implementing secure configurations, and performing other “best practices” to mitigate risk to our organizations. These are great and necessary, but something must be said about getting an up close and personal look at real-world malicious activities and adversarial behavior.
One of the best ways to do this is to use honeypots. The National Institute of Standards and Technology (NIST) defines honeypots as: “A system or system resource that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears.” It’s an amusing — and appropriate — coincidence that many advanced persistent threat groups have the word “bear” in their names.
Honeypots generally refer to entire systems or environments. Honeytokens, on the other hand, are often specific files, data, and other objects that are used similarly, serving as decoys to entice malicious actors and gain valuable information about them. That said, for this article, and to avoid granular differences, we will broadly use the term honeypots.
Why use a honeypot?
Preventative controls are critical, aligning with industry trends and broader intelligence from groups such as Information Sharing and Analysis Centers (ISAC), but there are a number of valuable reasons to also use honeypots (and the associated honeytokens), not the least of which is that very little can compare to direct threat intelligence drawn from your own organization, operational environment, and systems.
Cybersecurity defenders can use honeypots to get direct insight into the various tools, techniques, and procedures (TTP) of malicious actors targeting their organization by utilizing honeypots and their variants.
Honeypots are often deployed in a constrained and controlled environment within a broader organizational architecture. This lets defenders capture specific forensic evidence for analysis and further research and provide crucial early risk indicators. These may be attempts to probe networked resources, access sensitive data, or exploit vulnerable systems.
This is especially useful given we know from CISA’s recent report that the most commonly exploited vulnerabilities are increasingly zero-days, meaning they weren’t known publicly at the time of exploitation. Hence, organizations need additional indicators and insight beyond known exploitation attempts and activity vulnerabilities.
The insights gained through honeypots can be used by defenders to adopt additional security measures or modify existing security controls and tooling to account for the malicious activities they actually observe.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
