Hunting hackers with honeypots

What would it take to gain an upper hand in our efforts to thwart attackers and limit the damage they can cause?

While preventive techniques are necessary, they are not sufficient. Additionally, with cyber attacks, time is of essence.

In this post, I discuss a strategy that uses “honeypots” - which are designed to purposely engage and deceive hackers while identifying malicious activities - to combine effective deterrence, timely detection, and dynamic deflection to help mitigate and analyse today’s advanced threats.

Effective deterrence

Cyber criminals look for the easiest available path when determining where their exploits will succeed. This means organisations that limit their exposure to exploitable vulnerabilities are less likely to qualify as targets for these attackers.

The Target data breach from 2013 is a prime example of this behaviour. The hackers found a very simple way in, by stealing the credentials of air-conditioning and refrigeration contractors at several of Target’s stores. From there the hackers tunnelled across into Target and gained access to the POS terminals. The lack of effective policy governing the attack surface meant they could lie undetected as they stole millions’ of peoples’ credit card data. There are clear ways to stop people employing this tactic.

Reducing the attack surface begins with an adaptive security model where granular policies tied to individual workloads ensure that those workloads are only allowed to access resources necessary for the application’s legitimate purpose. The underlying principle here is to move from a blacklist model of “blocking the bad and implicitly allowing everything else” to a whitelist model that “explicitly permits the good and denies everything else.”

This containment approach applied at a fine-grained level effectively reduces the attack surface from the entire network behind the perimeter down to a specific workload.

If we take the OPM breach as an example, inquiries have revealed that the malicious actors had lain within the network for between 4 and 6 months and were only discovered after an upgrade of security detection and monitoring tools. Over these longer periods of time, it would have been possible to spot the activity earlier and direct it to a honeypot. Had the specialists employed adaptive security that redirects traffic to honeypots, they could have had a closer look, to understand whether the activity was legitimate or if it was something to be concerned about.

As leaked data continued to be uncovered months after the first announcements, the OPM staff missed a trick by not gathering the right intelligence when the first breach came about.

Timely detection and dynamic deflection

It takes organisations far too long to detect cyber attacks. In fact, most companies take more than six months to detect a data breach. A granular, whitelist approach to enforcing policies on individual workloads means potential attacks are immediately detected since there is a precise sense of what a valid transaction is.

Any deviations from prescribed behaviour can immediately trigger a series of mitigating actions, including dynamically rerouting the connections to strategically placed honeypots. This can buy an organisation the time it needs to analyse attacks within a closely monitored environment.

Honeypots can be used to trap hackers and gather intelligence on their methods. By letting a hacker inside a controlled environment – a small part of the network that can be compromised, where no useful or valuable data is stored – an organisation is able to study and analyse the methods they used to poke around, giving them a head start on what the attackers will try next time. The honeypot has become a ‘honeytrap’, coaxing hackers into deploying their sophisticated tools for security teams to document and dissect. A great source of knowledge – so long as the hacker is unaware they’re being watched.

Making honeypots more effective with adaptive security

One reason why honeypots aren’t deployed more extensively is that there is no opportunity for analysis if they are not in the path of an attack. At the same time, placing them in the open can generate excessive “noise” from hackers probing anything with connectivity. Rather than passively waiting for the honeypots to be attacked, an adaptive security strategy can redirect attacks to the honeypots.

Another major concern for honeypot designers is that once a honeypot is compromised, it can be used as a platform to attack and infiltrate other systems or organisations. Adaptive security, which takes security down to an individual workload level can isolate and safeguard these honeypots.

Now What?

Risk can never be 100 percent removed. While prevention is ideal, timely detection and mitigation is an absolute must.

Developing effective mitigation controls to minimise the impact while gaining deep insight is an important step we should consider as an industry to better prepare us for the sophistication of future attacks.

Anoop Kartha, Sr. Technical Marketing Engineer, Illumio