by Lane Thames, senior security researcher with Tripwire’s Vulnerability and Exposure Research Team
The concept of honeypots and deception has been leveraged by cyber-defenders for many years. Today, though, the emergence of maturing technologies allows us to add a new twist on the classic honeypot approach.
Honeypots were ahead of their time. In the past, honeypots were useful but scale was a limiting factor for the amount of benefit and return on investment achieved from their use. However, with modern technologies like virtualization, cloud computing, containers and DevOps tool chains, we can now scale honeypots to make them statistically relevant in modern large-scale enterprise networks.
Furthermore, we can utilize existing programming frameworks to develop interesting types of honeypot technologies. The purpose of this article is to illustrate some new twists on classical honeypot technologies.
Honeypots are classified as deception technology in cyber security. Deception has both good and evil aspects. Malicious actors implement several successful deception techniques, such as spam email and phishing attacks. Honeypots, which have existed since the early days of computer security, are used by the good guys. Honeypots have traditionally been used to deceive attackers, and they are composed of systems that provide what appears to be legitimate network services.
However, honeypots are actually “decoys” used to attract cyber attackers. Any access to a honeypot system is very indicative of malicious behaviour. As such, any access to a honeypot springs a “trap”, which then issues an alert to system and network administrators indicating that suspect activity is in progress. Administrators can then investigate this activity and implement real time controls such as adding firewall rules to block incoming traffic from the address of the device(s) that sprung the trap.
Honeypots are very successful at indicating potentially malicious activity. However, in the past, they were not statistically relevant. As such, they have never really been a truly successful cyber-defense technology. The reason for this is due to scale. In the early days of honeypots, physical machines had to be purchased to host a single honeypot. Because of high server costs, organizations would only deploy small numbers (i.e., 5-20) of honeypots. However, an organization that deployed, say, 20 honeypots would potentially have 100’s or even 1000’s of endpoints in their networks. As such, the honeypot deployment was not really statistically significant, especially in terms of creating confusion.
There is another aspect of deception and honeypots, which is confusion. Although springing honeypot traps is very beneficial in terms of detecting malicious activity, in large networks with very few honeypots, it could be very late in the attack cycle before a trap is sprung. However, if we can deploy very large numbers of honeypots, we can significantly shift the odds in our favour. This is scale, and it is one new twist on honeypot technology that we have available to us today. Why? Because with new technologies such as virtualization, containerization, and cloud computing, organizations can easily deploy larger numbers of honeypots using DevOps tool chains. Increasing the number of honeypots relative to the total number of endpoints in a network increases the chance that we can detect a malicious actor early in the attack cycle.
Scale is not the only aspect of new honeypot capabilities. Another aspect that I have personally been researching is dynamic deception. Dynamic deception can raise the bar on the confusion aspect of honeypots and deception. Increasing the amount of confusion induced in a cyber attacker can increase the amount of time required for their attack cycles. In particular, we can increase the amount of time required for an attacker to implement network reconnaissance.
Honeypot-based dynamic deception is based on moving network applications across TCP ports (port-based dynamics) and IP addresses (IP-based dynamics). I have developed techniques to implement port-based dynamics using the Twisted networking framework. Moving network applications across ports and IP addresses causes significant confusion to cyber attackers. These dynamics provide two mechanisms: honeypot traps and time delays.
Accessing a honeypot resource, as usual, springs the honeypot trap. However, the dynamic aspect causes time delays for the attacker because the dynamic honeypot resources are moving. Attackers map resources that will not be available at the mapped IP address and port during the next phase of the attack cycle. This causes the attacker to re-map the network and the cycle just keeps going until the attacker gives up (at least gives up trying to attack the dynamic endpoints/honeypots). The time delay induced on the attacker gives system administrators more time to react to detected cyber-attacks.
Time is always against cyber-defenders. Technologies such as dynamic deception can potentially shift the odds in terms of defenders racing against the clock during cyber-attacks.
Also of interest: Biometrics through security