The European Network and Information Security Agency (ENISA), Europe’s cyber security agency, has released a new report focused on honeypots, and how these digital traps can most effectively be used by CERTs (Computer Emergency Response Teams) to detect cyber-attacks and sniff out malicious activity.
The lengthy 183-page honeypot report aims to provide an understanding of honeypot concepts, strategies for deploying honeypots, and recommendations on which honeypots may be useful in different scenarios.
This latest report, “The Proactive Detection of Security Incidents: Honeypots”, follows a 2011 report that showed how many CERTs were not fully utilizing all the possible external sources of information available to them. The discoveries learned during the previous study led to decision to investigate the issue further, resulting in this report focused on how CERTs can utilize honeypot technology to proactively detect security incidents.
Knowledge is power, and the ability for network defenders to detect threats before they enter their area of operations is becoming increasingly important in today’s complex threat landscape.
Honeypots can be a powerful source of threat intelligence and are excellent solutions that can be used as a basis for creating larger systems based on networks of sensors or act as feeds for already deployed SIEM tools. They can also be used to help identify insider threats, ENISA reminded in the report.
As an added bonus, much of the technology need to achieve all this is already available for free as open source software.
As part of the study, the ENISA actually tested and evaluated 30 different standalone honeypots, ranging from low-interaction server honeypots (general purpose, web, SSH, SCADA, VoIP, USB, sinkholes), to high-interaction server honeypots, and low and high-interaction client-side honeypots.
The report explores strategies for deploying honeypots, ranging from setting up a single honeypot to creating a network of honeypots known as a “honeynet”. Additionally, the report dives into various hybrid honeypot solutions, early warning systems based on honeypots, and sandboxes and their possible usage by CERTs.
While the report was compiled with managers and technical staff of government CERTs in mind, it can also be valuable to any other CERT or enterprise security team.
“New CERTs can use the report to quickly learn which honeypot and sandbox technologies to focus on when deploying such solutions, while existing CERTs can identify technologies they may be missing,” ENISA explained. “They can also use the suggestions and findings in the report to engage in possible collaborative development efforts with researchers and other CERTs in order to aid their detection and incident handling process.”
While honeypots can be used as a sensor to detect unwanted or otherwise malicious activity, honeypots can also be used to study what happens after a network is compromised by an attacker, the report explained.
For example, according to Jan Goebel, a security expert from Siemens, turning a previously compromised system into a honeypot can be useful to closely monitor an attacker and find out what other systems in a network could potentially be compromised.
While honeypots clearly have many benefits, it’s important that organizations understand some of the risks associated with deploying honeypots, especially when they are connected to organizational networks.
Honeypots are designed to interact with an attacker, and typically result in them gaining some level of control over a system—something that could be used to launch attacks and conduct other illegal activities. Such activities could be anything from hacking other systems, sending spam or spreading malware.
The report also warns that when compromised, the value of a honeypot is dramatically reduced, something that could provoke an attacker to avoid or bypass the honeypot network or even introduce misleading data into a honeypot, which can significantly hinder data analysis.
In order reduce the risks associated with honeypots, ENISA mentioned the importance of tightly controlling the network where the honeypots are deployed, including monitoring and controlling both incoming and outgoing traffic.
Additionally, the report cautioned to ensure that legitimate traffic does not end up on the honeypot, as that may trigger false positives.
Honeypots – Part of Every CERTs Toolkit
Overall, ENISA strongly suggests that honeypots should be an essential part of any CERT’s toolkit.
“Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT’s constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behavior, as well as give an opportunity to learn about attacker tactics,” said Professor Udo Helmbrecht, Executive Director of ENISA in a statement.
As part of its continued research and analysis on honeypots, the ENISA is asking CERTs to actively take part in the communities identified in the study, and provide feedback to its researchers involved in development of honeypots and related technologies.
“It has to be stressed that CERTs can also have great influence on how these technologies evolve and how they can be customized to simplify their usage, thus allowing them to be adopted on a greater scale," the report concluded.
A final note of importance that the ENISA mentioned, are the legal and ethical issues that could potentially exist with a honeypot deployment. "A study of these issues is outside the scope of this study. Nevertheless, we encourage CERTs to consult on the potential legal implications of usage of honeypots in their country/constituency with a legal counsel.”
The full 183-page report is a worthy read and can be downloaded here in PDF format.