As cyber adversaries increase the sophistication and persistence of their attacks, old methods treating all threats the same become increasingly inadequate. One method for gaining better context around these threats is the use of “honeypots.”
A honeypot is a security resource deliberately designed to be probed, attacked and compromised, for the purpose of gathering intelligence around an attacker. By tricking our adversaries into believing that they have gained access to our systems, we can watch their activities, where they connect from, what malware they upload to systems and other crucial information.
Furthermore, when integrated with other threat intelligence and automation tools, we can leverage this data to not only provide context around the threat but also to initiate an immediate response to block the attacker and share the data across our organizations or with others.
In this webcast, security engineer Ioannis Koniaris, developer of Honeydrive, a popular Linux distribution that comes with several honeypot applications pre-installed, discuss with us how various open source honeypot tools work and how they can be used to gather threat intelligence data. Tripwire security researcher Ken Westin will present how to make use of the honeypot data collected to provide richer analytics and enhance your defenses.
Hello, welcome to our podcast. Before Ioannis goes into detailed descriptions of Honeypot tools and methods, I thought I would provide a high level overview of where Honeypot tools fit into an overall enterprise defense strategy.
In thinking where honeypots fit in our defense strategy, I kept coming back to this quote by Sun Tzu from the Art of War, about knowing our enemies and knowing ourselves which I find correlates to our ongoing game of vulnerabilities and threats.
On the vulnerability centric side of defense we have a strong focus on prevention, identifying vulnerabilities and patching them before our adversaries can exploit them, with heavy reliance on signature based detection. We also hopefully know a great deal about our IT assets and data which we are entrusted to protect.
However, although we know a lot about what we are protecting, we don’t know a lot about the threats targeting us. The vulnerability centric model focuses on all threats equally without context and raises challenges when new or previously unknown threats are in play.
When we combine the vulnerability centric approach with a threat centric approach we add another perspective to the mix that understands that eventually prevention will fail, that is simply the nature of the world we now live in. Particularly with honeypots we are also able to bring in data collection and observation to make our defenses stronger. We gain better insight into our adversaries tools, tactics and procedures and are able to bring in data from a wide range of sources allowing us to broaden our detection capabilities to more than signatures alone.
Different threat actors have different goals and objectives in mind as well as different level of resources and patience. Knowing who is targeting us and the tools they are using provide us a rich insight that bolsters our defenses.
So another quick quote from another great historical strategic thinker. In addition to gather intelligence about our attackers, honeypots and threat intelligence provides us with an important benefit, we are able to slow the attacker down and more importantly waste their time.
The overall message of the 2014 Verizon DBIR which provides key annual metrics around data breaches can be summed up in this graphic which maps the time it has taken for an attacker to compromise an asset versus the time it takes for a defender to discover the breach over the past 10 years. The gap is widening. By slowing attackers down and gathering data about their activities we can minimize this gap, decreasing the time it takes for us to respond and increase the time it takes them.
With that I would like to hand the presentation over to Ioannis who will be providing a more in depth look at Honeypot tools and how you can leverage them in your environment.