• April 19, 2016

Bait and Switch: Are Advanced Honeypots the Future of Security?

Honeypots are not new in the security realm. But new techniques and capabilities, says Gartner in a recent report on deception technologies, promise a “game-changing impact on how threats are faced.”

What is a honeypot? It’s a defensive measure that leverages deception to lure hackers into fake environments consisting of network components, servers, and databases. These environments are laced with cyber-bait or fake resources that seem like they will lead the hackers to valuable enterprise data. The beauty of honeypot deception strategies is that legitimate users know the environment is fake. The only users rummaging around and accessing its resources are hackers.

The idea is not only to generate early warnings of a breach; it’s also to scrutinize hacker behavior and learn their tools and tactics. This resulting forensic data can be shared with other organizations, alerting them to attacks that might be coming their way. It can also be fed into analytics engines and machine learning systems to refine detection and defensive strategies.

Going on the Attack

Psych ops and other deceptive strategies are a long-standing component of warfare. American and British forces often deployed phantom armies during World War II to deceive the German High Command and force it into misdirecting and wasting resources. New techniques in cyber-deception include sophisticated applications that insert fake codes and files throughout the deception environment. These elements lure hackers down dead ends, detect their moves earlier and with greater accuracy, and ultimately shut them down.

Gartner divides the environment into four layers it calls the deception stack—network, end point, application, and data. There are fake resources (credentials, bogus accounts) and decoys (systems, data sets) embedded in each layer. Some honeypot environments might include decoy documents with beacons that track when and where they are opened.

Other systems cast a virtual deception layer over the entire network that engages hackers at every point along the attack path. The idea is to harvest intelligence and generate visibility into unseen attack vectors to continuously adapt security measures in near real time.

The Security Juggle

Yet honeypots and dummy systems are only as good as the perceived authenticity they convey. Attackers have demonstrated they are more than capable of spotting and avoiding phony systems components. For example, a hacker could check system traffic levels. If they perceive a mismatch between what they expect to see for a core data component and what they actually see, they may abort the attack. That’s why every detail in the deceptive environment must appear to be authentic, both in form and function.

Deception strategies require resources and focus. Yet enterprise security teams are often consumed with tasks such as installing patches and rehabilitating infected systems’ components. There may not be enough bandwidth to engage attackers with sophisticated deception strategies. Still, deception can be an attractive capability for enterprises that feel compelled to advance their security systems to the next level. As hackers and attackers keep upping their game, the security strategy must also evolve.

Like this story? Read more about advanced security measures.