Edited 11/30 10:37pm - It was pointed out to me that the ENISA document is aimed more at CERT organizations than the common enterprise, a fact I didn't catch in my first pass at it, so I updated my post to reflect this, thanks Brian Honan.
There is an interesting article over at H-Online titled "ENISA promotes digital hacker traps" which made me think a bit. The European Network and Information Security Agency is actually endorsing the use of honeypots to detect hacking in and around the perimeter... this sounds interesting especially since I have a honeypot set up at my home office I sometimes bait out to the Internet but what is the applicability to the enterprise?
Let's take a look at this rationally. First, the document is a comprehensive 183 pages long, which makes it difficult to get through in one sitting ... or at all for that matter for slow readers like myself. A few people pointed out to me that this paper is geared primarily towards the CERT-type organizations... which I missed in my first reading, but my concern for the enterprise use-case persists. What disturbs me after starting to read this document is that it seems to advocate a universal use of honeypots which I think is dangerous for a number of reasons including the obvious legal complications of inviting an attacker in and entrapping them. I can already see some company who can't figure out how to defend itself with the few Information Security resources it has saying "here's an idea to find and stop hackers, let's stand up a honeypot!" without really understanding what this means and the complexities and dangers of doing so. I think the honeypots should be left up to organizations who already understand information security posture and defense well, and who have the great resources to maintain honeypots ... more on the maintain point in a bit.
There are obviously benefits of having a honeypot in place, including the fact that attackers will likely trip over it first, either on accident or because you want them to, and spend some time cracking the honeypot and essentially wasting time. While you want the attacker to go after a non-critical system that you've set out there as bait, let's keep in mind that a good attacker may be silently in that system and now you've given them yet another way into your network. The hopes of 'catching an attacker' in the honeypot is best left to the experts and I unfortunately do not believe, from experience, that there are enough experts out there in the average enterprise to make a honeypot a good idea. I suggest organizations first focus on understanding their threat landscape and defending themselves, and as an advanced measure of defense to then set up a honeypot or a series of them for environmental and situational awareness.
But what if your organization just drops a honeypot in place to 'catch an attacker'? How will you know whether someone has started attacking or is stuck in the trap? Do you have enough resources to not only understand the attacks that could take place, but to also what to do with the attacker to 'stop' them from digging into the rest of your organization? You can't just segment off a honeypot because then it doesn't blend in and loses much of its value, but if a database honeypot is breached and triggers alarms amidst the database cluster - what do you do? These are the dangers of giving attackers some place as an easy target in your organization. This isn't just as simple as dropping a honeypot, I hope that's clear.
If you're going to put in a honeypot, there are a certain few things you must make sure you're doing, or at least have in place already ... here are some simple suggestions:
- Ensure you've got automated monitoring hyper-tuned on the honeypot through a central intelligence platform such as an SIEM or something more advanced such as a comprehensive operational analytics platform
- Ensure you've got the right tools in place to give you more than just alerts, but actionable intelligence from the honeypot
- Ensure you have the resources to investigate Honeypot activity 24x7x365
- Ensure you're not giving an attacker an easy way into your network or system by putting a honeypot in a strategically poor position (for example, bridging secure/insecure network space)
- Make sure you tune your honeypot to simulate an actual system in your environment, so it doesn't stick out as an obvious trap
While honeypots may sound like a great way of finding attackers, it often turns into IT Security's new shiny toy that quickly falls to the wayside and create more additional risk to the enterprise. There is no reason that a honeypot has to be present on your network, but if you've got the right resources in place to monitor, maintain and perform action based on intelligence gathered from the honeypot - it could be a very valuable asset.
Check out the full ENISA report titled "Proactive detection of security incidents II - honeypots" for the full release direct from ENISA.