In January 1991, a group of Dutch hackers attempted to break into a system at Bell Labs, only to be directed into a digital sandbox administered by one of the research groups at AT&T. In an account of the five-month incident involving one of the first computer honeypots, Bill Cheswick echoed a complaint of the systems frequently made since the incident: "How much effort was this jerk worth? It was fun to lead him on, but what's the point?"
Yet, increasingly, companies are seeing a point. Businesses are deploying honeypots focused specifically on alerting defenders to an attacker's presence. Such systems tend to have a low false positive rate, can detect both insiders and external hackers and, best of all, should require little maintenance after setting up.
"If we look at the next generation of attacks, attackers are using less and less malware, they just find valid credentials online," says John Strand, a pentester with consultancy Black Hills Information Security and an author of the book, Offensive Countermeasures: The Art of Active Defense. "They simply just log in and they can walk in the front door as a legitimate user."
To detect such breaches, companies can use sophisticated anomaly detection or simply stand up some simple servers that should never be accessed. Those honeypots can alert the security team when someone is poking around where they should not, he says.
While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.
1. Low false positives, high success
Every attacker worth their salt first tests their malware against the popular known security measures out there. Just by checking whether their program dodges detection by Symantec's and McAfee's anti-malware scanners, attackers have fooled systems that more than 80 percent of companies rely on, says Black Hill's Strand.
"A lot of traditional defensive technologies don't have a lot of value against advanced attackers, because the bad guys have the means and the resources to ensure that their attack is going to work," he says.
Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.
2. Able to confuse attackers
Honeypots can also be used to slow down the attackers who successfully get into a company's network. Using a virtual system, a company can create a variety of decoys that can distract the attackers and cause them to take more time to find the valuable data.
"Decoys are all about moving the threat from the real assets to the fake one, at the same time alerting you to the threats," says Michael Davis, chief technology officer for CounterTack, a security firm that recommends more active defenses.
Another approach is to use honey tokens, fake data seeded within database records that should not otherwise be accessed, he says. By placing rules in the firewalls to alert on the unique data, a company can detect whenever a user or hacker downloads the information.
3. Only a time sink, if you allow it
Companies can deploy one of two types of honeypots. The first is a research honeypot--an instrumented virtual system that hosts a vulnerable operating system and is put on a network accessible to the Internet. The problem with research honeypots is that they require a lot of time to set up, watch for threats and then analyze the resulting compromise. While companies can learn a lot about attackers from such systems, they typically require too much time to be of use in an enterprise whose business is anything other than security.
"Research honeypots tend to be the tool of choice for university students to observe attacker behavior," Strand says. "That's neat but for the rest of us, we have real compromises to take care of."
Production honeypots, on the other hand, are systems that emulate something of business value to the company. They can be a Web server, workstation, database or just a document. They are low-interaction systems, which mean that the security team just sets them up and then can worry about other things until a user interacting with the honeypot sets off an alert.
4. Help train your security team
With technical security professionals still in short supply, honeypots can also be used a essential training tools, says CounterTack's Davis. By using honeypots to watch the attackers actions, the defenders can learn about the latest techniques.
"A lot of security teams, when they start deploying honeypots, they really start understanding how these attackers work," he says. "They see the steps the attackers takes, but also figure out how to stop the intermediary steps in their own network."
5. Many free options
Finally, there are a lot of free option for companies to get started with honeypots. At the Black Hat Security Briefings in Las Vegas, Strand and three colleagues released a collection of active defense tools, wrapped in a single Linux ISO distribution dubbed the Active Defense Harbinger Distribution (ADHD).
For those who prefer Windows, KFSensor is a popular honeypot systems based on that operating system.