There are many types of defensive tactics in the cybersecurity world that help to protect from the attacks. For example, it could be either a passive defense when you’re only trying to detect and mitigate the malicious behavior or an active defense when you are able to perform some actions in return to halt the operation of adversaries. Some defensive activities also have to do with reconnaissance and analysis, when security specialists observe the behavior of malware in a safe and controlled environment to study some important details and prevent legitimate networks from intrusion. A significant part of the latter approach is handled by honeypots.
Security analysts set up a whole structure of decoy devices, applications, and even networks that resemble the real ones. Their goal is to lure the attackers into this honeypot or honeynet and gain as much information about them as possible. What tools and techniques do they use? What is the attack vector? What goals does it have and how does it achieve them? Lots of experts feel skeptical about honeypots because they can do a disservice sometimes, acting as an unnecessary backdoor into the system.
Let’s find out what are the pros and cons of using honeypots and try to understand whether or not they can provide better security.
Advantages of Honeypots
Honeypots have been actively used in academic circles as well as a number of industries to help security analysts provide better visibility of the current cyber threats. However, this knowledge goes at expense of their own resources and a probability of a breach if the attackers recognize a decoy environment and try to move laterally. Isn’t it better to use a threat intel feed that can be provided by somebody else and not risk your own network? The latest detection content via Sigma rules can be obtained in places like SOC Prime’s Detection as Code platform, where thousands of companies benefit from more than 13,000 timely detections, renewing every day.
Queries and API requests can be translated to vendor-specific formats by using Uncoder.IO, a free online translation engine. Isn’t that enough for a good security posture? But when it comes to cybersecurity, things are not so easy.
Large companies are especially concerned with providing the utmost security to their networks because they know that they are a sweet spot for adversaries. Big APT groups with a widely developed network of bad guys and lots of resources can potentially be interested in attacking them. As a result, these bad boys won’t be shy to invent custom malware, set up the operation of numerous C2 servers, and spend much money for the probability of breaching the systems of big industry players like Tesla, Apple, and General Electric, among others.
That’s why the latter try to find ways to know more about potential custom attacks targeted specifically at them. Honeypots, if configured right, are one such way to gain insightful and very unique information that can be meaningful for particular use cases.
Even though honeypots can be so sophisticated that they fully mimic the structure, components, and content of real digital assets, the traffic that goes through them is completely different.
Obviously, no one risks their own legitimate traffic in honeypots so, in essence, they could process much fewer data. What’s good about it is that it’s easier to spot malicious behavior and signatures since you don’t have to dig through the piles of real events. Such honeypots also don’t require a lot of human or financial resources and it’s easy to get them up and running in a short timeframe.
Honeypots are also known for generating fewer false positives than true networks. You can configure the data correlation between a honeypot and another system or for example, firewall logs, to produce more relevant alerts, thus increasing the overall SecOps effectiveness.
Ironically, most advantages can also mean higher risks, so they can instantly turn tables and become disadvantages.
Disadvantages of Honeypots
The absence of real traffic or human behavior inside the honeypot can be recognized by some sophisticated malware. If the malicious scanner finds out that it resides in a decoy environment it can refrain from executing its functions or try to escalate privileges and get into the main network.
It’s also important to know that if some malicious behavior is not present in a honeypot, it doesn’t mean that there is no ongoing attack in the system at the moment. Honeypots also don’t protect the system, they are just fake systems inside the organization’s digital infrastructure. So, if they don’t have proper protection (maybe even stronger than everything else), attackers can easily use these traps as their entry points, thus making their intrusion into the legitimate systems much easier.
Attackers can also create fake adversary behavior to distract attention from the main vector or feed the honeypot with wrong information, while indeed quietly operating in a different place.
Conclusion
Honeypots can mimic anything, from a USB device to a billing system. It’s quite a neat solution for capturing the newest threats and analyzing them in a safe environment. However, if configured wrong or if made too obvious, they can indeed become dangerous to the company’s digital infrastructure and sometimes even help attackers achieve their malicious goals.
