Automated at-scale attack campaigns now represent the vast majority of online threats, and are starting to blend together with targeted attacks. As the number of these attacks increases, so does the cyber risk for organizations.
Unfortunately, the most common approaches to defense — including vulnerability management, phishing awareness, signature-based network and endpoint detection — are neither effective nor efficient in addressing these kinds of attacks because traditional third-party threat intelligence cannot provide adequate targeted attack visibility.
In the second quarter of 2023, GreyNoise researchers observed a substantial change in the behavior of some regular internet scanning idioms. Inventory scans —where both benign and malicious actors perform regular checks for a given technology or specific vulnerability — significantly reduced in frequency and scale. The vast majority of these types of scans now come from benign sources. This, along with the speed at which organizations are compromised after the announcement of a new vulnerability, strongly suggests more capable attacker groups have their own form of “attack surface monitoring,” and use it to avoid tripping existing defenses.
These targeted attacks threaten to circumvent existing defense capabilities and expose organizations to a new wave of disruptive breaches. In order to adequately protect their networks, defenders must evolve in response.
Honeypots are back in vogue
Although there are countless sources of third-party intelligence about attacker behavior, many of them are the secondary outputs of some other security program. Managed service providers, hosting providers, endpoint and network security vendors use what they learn about the networks to defend the broader universe of organizations. Since the data is provided by the targeted organizations, it cannot be controlled. This intelligence is a byproduct of another business, with another business model. What’s more, threat intelligence providers cannot collect information about a potential attacker until they have actually attacked a protected network, which biases the data toward widespread attacks.
Another approach to threat intelligence relies on first party (i.e. “primary source”) data, derived from sensors that observe attacker behavior directly. When these sensors are designed to mimic vulnerable systems with the intent to attract attackers, they are referred to as honeypots. On a small scale, this approach is not effective, but when honeypots are deployed on a large scale it becomes possible to detect many internet-wide as well as targeted attacks.
Honeypots offer some key advantages to defenders when used to complement traditional third-party threat intelligence, especially when addressing the threat of targeted attacks:
- Velocity. Honeypots avoid the operational lag of traditional threat intel because observations can be automatically tagged and distributed at machine speed.
- Proactivity. Rather than waiting until an attack has actually happened to collect data, honeypots can research and analyze the behavior of a potential attacker before the targeted system is compromised.
- Relevance. Instead of relying on inconsistent data collected from verticals, systems and various geographies that may or may not pertain to a specific defender, honeypots collect data from systems that are optimized to resemble key defender assets.
- Comprehension. Honeypot data is derived from its own network configuration, rather than depending on third party data.
In the past, honeypot programs have struggled due to several challenges with their operational security and detection capabilities. Because of this, few organizations currently have mature, effective honeypot programs. However, new advances in infrastructure automation, network traffic shaping, cloud computing and artificial intelligence can resolve these issues and make it possible to consistently identify novel attacks and reveal attacker infrastructure.
Defenders should define their honeypot strategy by identifying attack risks and intelligence gaps, assessing honeypot maturity and evaluating security partnerships for comprehensive visibility.
6 criteria for a successful honeypot defense strategy
While honeypots are not a silver bullet, a mature honeypot program can fill the gaps in current intelligence approaches and effectively manage business risks. One of the key advantages is that they offer a unique opportunity to see what potential attackers are doing in real-time before a full-on incident takes place.
Here are six criteria for a successful and effective honeypot defense strategy:
- Ease of deployment. Advances in cloud technology and infrastructure orchestration have made it possible for network architecture to support streamlined operations. This enables new honeypots to be erected as redirects to established cloud resources, permitting resource-constrained teams to deploy and manage multiple honeypots that cover the systems and protocols they wish to defend.
- Flexible persona. In order to be effective, the apparent identity that a honeypot presents to scanners and attackers needs to be frequently updated in response to changing threats. Fortunately, the same cloud architectures that support easy deployments can also deliver dynamic personas. As attackers modify their targeted systems, in response to new vulnerabilities, new attack campaigns and new priorities, defenders need to be able to shift their honeypot networks in response.
- Credibility. Depending on what behavior defenders wish to observe, different levels of honeypot interaction are required (e.g. a clone of login pages, exposed vulnerabilities or even deeper). In many cases, it isn’t enough to imitate — the honeypot must actually become the thing that lures attackers.
- Completeness of data. A successful honeypot program will collect all of the data that analysts, detection engineers and others require to block automated attacks and identify targeted ones. New honeypots collect more comprehensive data from packet capture and in-persona process, file and network actions, providing analysts with the data they need to observe, identify and understand novel activities and attacks.
- Automatic analysis. While an initial, unadvertised perimeter sensor will only see a trickle of background noise, once the honeypot presents a popular tech persona and is indexed, it will see a high volume of scan and attack traffic. This data can overwhelm defenders, undermining honeypot value. Manual approaches to analyzing this data are possible, but mature programs must increasingly leverage AI to assist in data labeling.
- Global visibility. The true value of honeypots is realized when the data can be effectively aggregated and compared with global threat data. An attack seen by one organization’s honeypots, but not globally, is a targeted attack. A honeypot program that empowers defenders to immediately and systematically contrast what they’re seeing with what’s happening worldwide represents a new source of truth on both mass attack campaigns and targeted activity, allowing defenders to understand, prioritize and respond to the threats that they are facing.
There will always be a need for the unique threat intelligence insights that only large, advanced honeypot networks can safely provide. Organizations that accurately scope their risk profile and honeypot maturity will be best positioned to make effective investments, equipping their defenders with the intelligence they need to deal with the evolving landscape of automated and targeted attacks.