There is a definite cool factor concerning the use of honeypots to hunt down an elusive hacker. Deploying a honeypot or two across your network is like creating a spy network within your organization that works undercover to help take down the bad guys.
But while a honeypot does have a place within an effective defense in depth cybersecurity strategy, it’s far from a magic bullet. In fact, their capabilities are quite limited, and it’s important to understand what those limitations are.
The primary weakness of a honeypot is that it’s oblivious to suspicious behavior that it’s not directly involved in. This fact narrows their field of visibility. A ransomware strain may be encrypting two of the hosts in a virtual server farm, but unless the honeypot is part of the direct attack, it will never give the cybersecurity team the heads up it needs.
While a next generation firewall appliance, web filter or endpoint security solution can terminate multiple threat types upon detection, a honeypot can only issue alerts. A honeypot is like a military spy that learns of an impending attack, but can’t do anything to stop it.
Designing a honeypot to snare a thief is a balancing act. Make the honeypot too noticeable or enticing, and an experienced hacker will turn suspicious and stay away. Make it too unassuming or overly secure and it may be ignored. Creating an effective honeypot is a bit of an art form, and it takes experience and training. And as with cybersecurity more generally, the people that have this expertise are in short supply.
A honeypot is a decoy—a fake—and every replica can be distinguished from the real thing in some small way. While the everyday person may not be able to differentiate genuine art from a forgery or a real diamond from a fake, there is always some expert out there that can.
Commercialized honeypots have distinguishing qualities that subtly differentiate them from actual production systems. For instance, an experienced hacker expects a Linux web server to react to a designated packet delivery in a prescribed way.
A honeypot that presents itself as a directory service server should have the substantive user accounts found in a production environment. While commercially generated honeypot solutions may fool amateurs, they probably aren’t going to deceive a top Russian ransomware gang. Hackers are aware of the growing number of honeypot solutions out there, and are learning how to identify and avoid them.
A police unit can’t lay a million dollars in the middle of the street and begin arresting people who stoop to pick up the money and run. That’s entrapment. The purpose of deploying one or more honeypots across your IT estate isn’t to arrest someone—it’s to collect information about a possible attack to learn how to effectively stop it.
What if a student within a school system launched an attack that only involved a honeypot decoy? Has the student committed a crime? What if your deployed honeypots attracted the attention of external attackers that normally would have bypassed your network entirely? In this way, honeypots can invite trouble to your network.
In the end, a honeypot is an instrument that helps complete a comprehensive toolset. It’s not the right tool for everyone, but for some networks that have the necessity for it and the skillset to support it, it can serve a useful and defined purpose.