Honeypots: Free psy-ops weapons that can protect your network before defences fail

Double-edged sword

Sydney-based hacker Pedram Hayati has studied deception from the offender's perspective, examining how it can be used to confound security defenders. The Elttam Labs penetration tester studied it in part during his PhD, which centred on spam and anti-filtering technology, and in hacker conference presentations [PDF] .

"Attackers need a very good understanding of how the security practitioner is doing their job, their objectives, what they are looking for, the technologies on the network and so on," Hayati says. "Say if an attacker knows the intrusion detection system used, they can make it generate a lot of false alarm alerts to force a human to sift through it, and the real attack can go on in the background."

Anti-forensics is another field in which deception is valuable. Skilled malware writers will code capabilities into their work that not only ensures the malicious processes do not activate when known honeypots, sandboxes, and reverse-engineering tools are detected, and will fire benign payloads to attempt to appear as legitimate software.

Pedram says hackers can go further: "Forensics do timeline analysis, and what attackers will do is modify file timelines to spread red herrings," he says. "If they are doing their job really well, they will do things like making it look like stolen data was exfiltrated to USB when in reality that was not the case."

Back in 2005, a group of hackers under the Anti-Honeynet Alliance published on hacker zine Phrack ways to detect known honeypots in what became a cat-and-mouse game of detection and deception.

A bit sticky

"If your honeypot is very convincing, the adversary will do more, perhaps download additional tools and so on, so the better your honeypot the more information you will gain," Rist says. However, shadow honeynet networks that would sit alongside the corporate network are extremely difficult. The Project pair's advice is for corporate security staff to start small and slow, learn, and build up.

"A full blown honeynet is pretty complex because it is a full deception operation, and to run a successful deception you also have to have technological and human networks," Vestergaard says. "It becomes very complex to run a shadow network along your own network."

He says most organisations should aim to run honeypots, rather than complex honeynets, within their production network. "It took a year to set up HoneyTrain and that wasn't even so complex," Rist says.

Even a basic honeypot is useful. Any attacker who touches the honeypot server should be considered malicious purely on the basis that there is no reason for any legitimate user to connect with it. The Honeynet Project pair describe it as a detection canary. "Honeypots do not usually need to be that advanced - it all depends on your goal of course - because just seeing traffic on the honeypot on your internal network should set off alarms. In most cases you don't care if your honeypot is detected because at that point the mouse is in the trap."

These simple honeypots can be built up into systems like hacker Dav Kennedy's artillery honeypot which melds honeypots, monitors them, and features alerts that fire off warning emails to security and generating firewall rules when intruders are detected. Those alerts can be plugged into security information and event management systems, and similar tools.

There are risks, of course. Honeypots are deliberately exposed systems and attackers could become interested in the legitimate corporate network. They also increases the corporate attack surface in the same way that any additional device or service does, including traditional security solutions.

The technology is also demanding of skills, and needs research, and caring deployment to be effective.