Honeypots and Deception Technology: How They Can Help You Detect and Respond to Threats

Deception technology can trick malicious actors into interacting with false networks. It then logs their activities for security teams to analyze.

Honeypots can also help security analysts track cybercriminals’ movements. This threat intelligence can inform preventative defenses, patching priority, and future investments. For example, research honeypots study attack trends and malware strains in the wild to better protect against them.

Deployment

It’s essential to understand the definition of a honeypot and its uses. Honeypots are dummy servers or systems that are placed alongside the production systems used by your organization. Honeypots are designed to resemble appealing targets and are set to allow IT professionals to observe the system’s security responses and steer the attacker away from their original target. A honeypot imitates a natural production system’s data, methods, and processes. To be effective, it must look and feel authentic to attackers. To do so, it must be deployed in a demilitarized zone (DMZ) and connected to the Internet, separate from your existing network. This enables you to examine threats that have successfully breached your firewall but do not enter your production environment.

However, this setup is complex to deploy and requires a dedicated cybersecurity team to manage it. Additionally, it only allows you to track attacks that target the honeypot. Accomplished malicious actors can quickly determine that a honeypot is inaccurate and use the same techniques to infiltrate your existing system.

Deception technology eliminates these limitations and shifts a cyberattack’s cognitive, economic, and time costs back to the attacker. With modern solutions, you can deploy deception virtual machines and decoys across your entire data center, campus, or cloud that appear to be a mix of existing IT assets and IoT/SCADA/ICS devices. This provides more detection opportunities and fills common gaps around network scans and lateral movement. It also includes digital breadcrumbs that you can place on your existing IT assets and Active Directory to lure attackers into the deception environment. These digital breadcrumbs can identify attack patterns and link attackers across your network.

Monitoring

Traditionally, honeypots have focused on diverting attackers away from production systems. However, more experienced malicious actors quickly realize that the decoys they attack aren’t lifelike. Next-generation deception technologies aim to do more than that—to make the attack experience more difficult for bad actors.

Unlike point solutions focusing only on detecting malware, deception covers the kill chain: pre-attack reconnaissance, exploitation, privilege escalation, and lateral movement. This provides more contextual information about what an adversary is trying to accomplish, allowing the organization to deploy preventative defenses or patch vulnerabilities to stop attacks in its tracks.

High-interaction honeypots imitate systems that contain data a malicious actor would be interested in to attract attackers and observe their behavior. These systems run (or appear to run) all the services a full-scale production system should and often include seemingly important dummy files. These systems are resource-intensive and require significant maintenance, but they provide valuable insight into an attacker’s approach to compromising an internal system.

Software-based industrial control systems deception tools such as XPOT, which emulates Siemens PLC protocols and allows the attacker to compile, interpret, and load programs, are also gaining popularity. They can also be used with a simulated industrial process to make the decoy experience comprehensive. Other IoT deception solutions include Dionaea, which emulates various operational technology protocol stacks, including TR-069 WAN management and BACNET, and the RomPager IoT decoy with vulnerable telnet / FTP servers.

Alerts

While many security teams spend time defending the perimeter to prevent outsiders from accessing sensitive information, they often ignore threats that have already breached the firewall. Using deception technology to lure an attacker into a trap can help you gain insights about these insider threats and the vulnerabilities they exploit to attack your systems.

For example, a malware honeypot can mimic software applications and APIs to draw out attacks in a non-threatening environment. The resulting data can reveal injection techniques, credential hijacking, and privilege abuse that you can use to build more effective system defenses.

A good deception solution should be scalable, authentic, manageable, and quiet — known as the SMAQs of an effective tool. It should also create very few false alerts. It should be able to provide context for attacker behavior and enable you to identify and block their movements before they damage your production environments.

While honeypots focus on diverting attackers from the existing production system, next-generation deception methods should target the product environment. This is crucial for ensuring that your response can be focused on the real threat and prevents data loss. For example, if an attacker logs in to a fake SWIFT banking server, their real account would be blocked in the production environment. This is a far more effective response than simply flagging anomalous activity for investigation, which can generate a high volume of false positives.

Response

Honeypots and deception technology can lure attack traffic away from natural systems, divert attacks before they hit critical infrastructure, gather forensic and legal evidence, and gain insight into attacker tools, tactics, and procedures (TTPs) without putting the rest of the network at risk. IT teams can set up a fake database or server to mimic the most attractive information to attackers, such as intellectual property or trade secrets, or monitor for software vulnerabilities like SQL injection or services exploitation.

The type of honeypot deployed depends on the organization’s needs. Low-interaction honeypots are less resource-intensive and provide rudimentary information about an attacker. In contrast, high-interaction honeypots are more complex setups that behave much like your production infrastructure to attract the attention of advanced threat actors. These include imitating the kinds of servers and services that your organization uses. For example, a power company might set up a Microsoft SQL server to appear as a database containing information about all the hydroelectric, nuclear, solar, and coal plants it operates.

Security teams can also deploy research honeypots to collect data about current attacker trends and malware strains in the wild. This helps inform preventative defenses and patch prioritization strategies. Deception technologies are also evolving to help organizations move beyond relying solely on perimeter defenses by placing decoy assets at the network edge, on endpoints, and in often neglected environments like ICS/SCADA and IoT.