Trapping attackers to take their exploitation techniques is possible and even highly recommended to build a useful threat map. The toolkits and methodologies used by cybercriminal groups are a heritage that is often jealously kept secret to guarantee their effectiveness. Honeypots will be asked to retrieve this information to lift the secrecy surrounding them. Among other things just as interesting.
Honeypot ? : Definition
The term honeypot is associated with virtual machines installed on an organization’s computers and designed to simulate the operation of legitimate machines. They are usually set up with the same set of services and applications as the latter. Their purpose is to make cyber attackers believe that the simulated computer system is worthy of attention. Thus, when attempting to take over these devices, criminals are actually attacking decoys monitored by cyber security specialists.
Honeypots, perfect for luring attackers and recording suspicious activity.
Honeypots have been around for decades and are now recognized as an effective way to catch cyber criminals right in the middle of their act.
We can define honeypots as virtual machines that are set up on computers of an organization and made to simulate any other legitimate machine. They are generally installed with the same set of services and applications as the legitimate ones. The objective is to use honeypots as a bait to lure attackers into thinking the simulated computer system is worthy of their time. Thus, when cyber criminals attempt to take possession of these devices, they are actually attacking devices that are under surveillance of cybersecurity specialists.
They are either entirely cut-off from all organizational infrastructures or only connected with a sacrificial structure: a classical virgin computer system with the appropriate operating system and required services. Therefore, no genuine requests are made to this system. Any request or interaction that happens with a honeypot is most definitely an attacker trying to infiltrate a network.
In addition to the many known cybersecurity measures (such as strengthening the network security and safeguarding all applications and data), honeypots are able to attract attackers and record their methods for research and intelligence. Research ones can also serve for forensic purposes, neatly gathering data about hackers who are stealing information from them.
Therefore, honeypots are used for two primary purposes:
- To deflect attackers from legitimate systems
- To capture information about how cybercriminals operate
- To create new defensive posture with special technical opportunities
At TEHTRIS, we are developing innovative solutions on how best to use honeypots to derail cybercriminals while simultaneously examining their processes and outlining their methods.
"When they attempt to take over these devices, criminals are actually attacking decoys monitored by cybersecurity specialists."
Why use honeypots and why are they so attractive to attackers?
Honeypots are designed to be the best target for cybercriminals. Malicious actors always look for the low-hanging fruit. They are open, vulnerable devices and configured to lure a cybercriminal into attacking it.
Attackers seem to think there is value in tackling a honeypot, because the system simulates any genuine machine within an organization’s premises, but with low cybersecurity guards. Therefore, cybercriminals spend, or rather waste their time, trying to enter a honeypot and compromise it.
Every minute cyber attackers waste on this bait, we are essentially benefitting twice. Once by gaining information about their intention and identity, and secondly by directing them towards make-believe systems.
Deploying honeypots worldwide and combining records in a cybersecurity data lake
Honeypots allow us access to the data pertaining to how cyberattackers navigate networks and servers and who they are. In this way, they make it possible to improve security and hinder those with ulterior cyber motives.
Needless to say, honeypot activities generate tremendous amounts of data. We can feed this data into a Big Data system such as a data lake for further analysis and research. Data science tools can come in handy in making an in-depth internal analysis of all the gathered information and reporting it through visualization.
When scaled over a global area, such an arrangement can function to strengthen worldwide networks and ensure that organizations that are spread over multiple locations can stay cyber secure.
TEHTRIS plans to take this another step up.
We have installed honeypots in many countries that allow us to collect and store all related incoming data in a cybersecurity data lake and then we make it available to the public at large through our Cyber Threat Map. This tool is shared openly as a live instance of data-driven cybersecurity.
The aim is to offer cyber specialists from across the world, for no cost at all, data and information (such as the various attackers in action and the attacks they are using to slow down and infiltrate systems) but also the possibility to play on the data thanks to multiple filters.
In general, this would create in the long term a global coherence in the knowledge of threats but also in strategic cyber defense. It would help to dig out the current and upcoming trends that criminals use in order to inform and prepare people around the world.
Honeypots might not be the first solution to think about when it comes to robust cybersecurity, but they can definitely be a critical add-on for any organization.
The only organization that doesn’t need it is the one with a consistent cybersecurity arrangement so strong that it can defend against a majority of attacks. That’s another way of saying that all companies need to leverage honeypots.
Global Monitoring of Cyber Attacks over the Internet
A global network of honeypots and a central repository in the form of a data lake to contain all relevant research and forensics information can be one of the most proactive ways to handle and improve cybersecurity around the world.
Contrary to popular belief, every device is worth hacking in today’s day and age of automation. It doesn’t matter whether a company is big or small, or even if the device in question is at home. Cybercriminals plan on monetizing every attack.
Therefore, a global system of honeypots and associated information can be a goldmine of data for cyber specialists who are trying to safeguard their companies, homes, organizations, or countries from malicious attackers.
Through a global monitoring system, specialists can lean into data-driven cybersecurity, leaving lesser room for manual error and erroneous decision-making. Data can prove to be the new oil for cybersecurity professionals in learning more about their opponents and how they function, so they can devise effective strategies to combat their attempts.
Honeypots aren’t new. Neither is data capture with globally deployed honeypots. But the way TEHTRIS operates is globally unique, since we are the only vendor in the world with an XDR Platform, combining these kinds of honeypots inside the eXtended Detection and Response solution.
Indeed, TEHTRIS’ co-Founder was one of the pioneers in modern honeypots in the late 90s, and an elected member of the Steering Committee of the Honeynet project. He released various articles, including those on counterattacking with honeypots: fighting against MSBlast, etc.
We at TEHTRIS have been deploying honeypots for our customers since 2013 (Fortune 500). Learn more about our honeypots cybersecurity philosophy here.