Honeypots have been used for many years as decoys to attract attackers in order to learn who they are, what methods they use and how to respond – without endangering actual assets. By representing itself as a server or other high-value, network-attached asset, the honeypot lures attackers. In reality, the honeypot uses fictitious data, is isolated from the network and is closely monitored for information gathering purposes.
Honeypots are mirror images of conventional security tools that actively scan real network assets and collect enormous volumes of data on real activity. In contrast, honeypots are passive. They don’t collect data on every network asset. Instead, they draw in attackers and deceive them into revealing information that can be used against them.
The honeypot concept dates to the first true computer hack, detailed in The Cuckoo’s Egg, a book by Clifford Stoll. It tells the story of Stoll’s 1980s-era hunt for a hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL). With the help of Tymnet and various government agencies, Stoll found the intrusion was coming from a university in Germany via satellite phone, and was apparently targeting military bases to learn about the Strategic Defense Initiative (SDI), or “Star Wars” project. To persuade the hacker to reveal himself, Stoll created a primitive honeypot – a fictitious department at LBNL with a fake “SDInet” account loaded with realistic and tempting files. It enticed the hacker to attack this system. The attack was traced Markus Hess, who was selling stolen information to the Soviet Union’s intelligence agency, the KGB.
Modern honeypots take advantage of virtualization and AI to simplify deployment. We refer to them as “high interaction honeypots” in this blog. Though more modern than the originals, in the end they are conceptually the same – complete and vulnerable assets built to be exploited for the purpose of learning.
The need for deception
Whether it’s sports, gaming or warfare, deception is critical to any successful strategy. Clearly, cyberattackers would be lost without it. If that’s the case, then why isn’t deception a mainstay in every security operations center (SOC)?
Maybe we can blame the early success and reputation of legacy honeypots.
The honeypot concept has an image problem among security professionals, who have an outdated idea of its purpose. Many consider honeypots to be appropriate only for cyber-intelligence research, and thus are viewed as sophisticated “extras.” Second, effective use of honeypots involves cost and complexity, which limit an organization’s ability to deploy them broadly across the network. Because the “numbers game” is not an option, defenders can’t hide their assets in a crowd. As a result, honeypots are limited to intelligence gathering rather than risk reduction and defense. After all, at the end of the day, a CISO’s first priority is to catch the bad guys, not learn from them.
This is a real problem in view of today’s vastly expanded attack surface, which encompasses virtualization, cloud, IoT connected devices, shadow IT, remote working and IT/OT convergence. Even though virtual honeypots are simpler to deploy than physical ones, they still require isolation, licenses for the decoy assets, risk management and monitoring.
In general, honeypots have been overtaken by automated deception technology.
Among the minutia of honeypot history is a hidden gem – the emulated honeypot. Unlike a legacy honeypot, an emulated honeypot does not expose actual assets to attract attackers. Instead, it acts as a master translator/communicator on the network that projects a “hologram” of servers and devices and speaks their native language to attackers or malware. Since the “asset” is a hologram and not real, it is fast and easy to deploy. Suddenly the numbers game becomes an option. And the objective of this game is to catch attackers, not study them.
Unfortunately, the vendor community blurs the lines between legacy honeypots, emulated honeypots, and lures (fake files, data etc.), leading organizations to think they must choose one over the other. In reality, they are all valuable given the right use case.
Be that as it may, “honeypots” carry a brand identity that dates back to their invention. This perception has obscured the unique value of emulation.
This blog describes the history of emulated honeypots and explains how emulated devices of all kinds can serve as “traps” that go far beyond information gathering to help cybersecurity teams detect and stop an attack. Traps, which are a modern version of emulated honeypots, offer low cost, light weight and automated monitoring capability that make them highly practical for rapid, widespread deployment.
A brief history of emulated honeypots
The best-known emulated honeypot technology is Honeyd open source software for UNIX/Linux, which was developed and is maintained by Neils Provos. It can emulate various operating systems and services at the TCP/IP stack level. The primary purpose of Honeyd is detecting intrusions by monitoring all the unused IPs in a network simultaneously. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity.
The first major release was in 2003. To put this in context, when Honeyd launched, advanced persistent threats (APTs) didn’t exist. Nor did Facebook, LinkedIn, Gmail, iPhones, or the cloud. The Internet and telecommunications had not yet converged.
Today’s IT environment is very different, and it calls for a different type of emulated honeypot.
Commercial emulated honeypots
TrapX introduced emulated honeypots (also called medium interaction honeypots or traps) with our DeceptionGrid™ solution. These honeypots have an IP address and are indistinguishable from real assets, but are not fully built-out assets that require licenses and compute and storage resources. Unlike pure or traditional honeypots that are built for learning, emulated honeypots are built for catching attackers, which requires only enough interaction to identify the attackers and document their techniques. This lightweight and low-touch approach offers unique advantages over full interaction honeypots:
- Broad scalability
- Rapid deployment
- Low risk because it is not a real, vulnerable asset
- Support for operational technology (OT) and Internet of Things (IoT)
Emulated honeypots open new opportunities for deception. Although it may seem counterintuitive, they allow you to reduce risk by expanding your attack surface with fakes. Expanding the attack surface flies in the face of conventional cybersecurity wisdom, but the strategy is very effective.
With emulation you can now play the numbers game and hide real assets in a crowd. Leading practitioners cover more than 30% of their IP portfolio with emulated honeypots. They reduce risk by making it more likely that an attacker will hit a trap than a real asset.
Emulated honeypots are ideally suited for protecting OT and IoT. Since emulated honeypots are agentless and do not touch actual controllers and devices, and collect no sensitive information, they can sit seamlessly within a manufacturing, energy, or healthcare environment without disrupting operations.
Complementary deception tools
Emulated honeypots meet most requirements for deception, but not all. High-interaction honeypots and deceptive artifacts such as credentials, links, and files fill unique needs and complement emulated honeypots.
Rise of deception technology
Millions of connected devices (medical wearables, sensors, controllers, smart printers, cameras, coffeemakers, thermostats, toys, ATMs, etc.) have created a “wild west” of attack vectors for bad actors to exploit. There is no shortage of examples.
- The SolarWinds attack, featuring a very low malware footprint that went unnoticed for months, once again proves that attackers are likely already in your network and they know how to avoid detection.
- Recent ransomware attacks such as the ones on JBS Foods and Colonial Pipeline make it clear that OT networks are easy and lucrative targets for attackers.
Today’s attackers exploit hard-to-defend surfaces where conventional security doesn’t work. Many attacks are proving invisible to traditional security tools, leaving systems and devices exposed.
Modern deception technology using emulated traps can help combat this new threat scenario. In fact, MITRE has introduced Shield, a new framework for active defense which features deception as a key component of a more modern cybersecurity strategy.
Deception technology gives cybercriminals a false sense of security by making them believe they have gained a foothold in the network. This trick provides lead time for organizations to take action against the attackers, while protecting real assets.
Deception technology benefits include:
- Early post-breach detection
- Easy scalability (low cost and complexity)
- Low risk to actual assets
- Compatibility with any IP addressable device
What’s old is new again
It’s time to pull emulated honeypots out of the limited context of the early 2000s and reapply them in today’s vastly different security landscape, where they belong. The perimeter is gone. IT/OT convergence, cloud, and WFH are the new normal. Attack surface coverage with broadly deployed and adaptable deception is just what the doctor ordered.