Posts

What’s the Difference Between a High Interaction Honeypot and a Low Interaction Honeypot?

A honeypot is a decoy system that is intentionally insecure, used to detect and alert on an attacker’s malicious activity. A smart honeypot solution can divert hackers from your real data center, and also allow you to learn about their behavior in greater detail, without any disruption to your data center or cloud performance.

Honeypots differ in the way that they’re deployed and the sophistication of the decoy. One way to classify the different kinds of honeypots is by their level of involvement, or interaction. Businesses can choose from a low interaction honeypot, a medium interaction honeypot or a high interaction honeypot. Let’s look at the key differences, as well as the pros and cons of each.

Choosing a Low Interaction Honeypot

A low interaction honeypot will only give an attacker very limited access to the operating system. ‘Low interaction’ means exactly that, the adversary will not be able to interact with your decoy system in any depth, as it is a much more static environment. A low interaction honeypot will usually emulate a small amount of internet protocols and network services, just enough to deceive the attacker and no more. In general, most businesses simulate protocols such as TCP and IP, which allows the attacker to think they are connecting to a real system and not a honeypot environment.

A low interaction honeypot is simple to deploy, does not give access to a real root shell, and does not use significant resources to maintain. However, a low interaction honeypot may not be effective enough, as it is only the basic simulation of a machine. It may not fool attackers into engaging, and it’s certainly not in-depth enough to capture complex threats such as zero-day exploits.

Is a High Interaction Honeypot a More Effective Choice?

A high interaction honeypot is the opposite end of the scale in deception technology. Rather than simply emulate certain protocols or services, the attacker is provided with real systems to attack, making it far less likely they will guess they are being diverted or observed. As the systems are only present as a decoy, any traffic that is found is by its very existence malicious, making it easy to spot threats and track and trace an attackers behavior. Using a high interaction honeypot, researchers can learn the tools an attacker uses to escalate privileges, or the lateral movements they make to attempt to uncover sensitive data.

With today’s cutting-edge dynamic deception methods, a high interaction honeypot can adapt to each incident, making it far less likely that the attacker will realize they are engaging with a decoy. If your vendor team or in-house team has a research arm that works behind the scenes to uncover new and emerging cyber threats, this can be a great tool to allow them to learn relevant information about the latest tactics and trends.

Of course, the biggest downside to a high interaction honeypot is the time and effort it takes to build the decoy system at the start, and then to maintain the monitoring of it long-term in order to mitigate risk for your company. For many, a medium interaction honeypot strategy is the best balance, providing less risk than creating a complete physical or virtualized system to divert attackers, but with more functionality. These would still not be suitable for complex threats such as zero day exploits, but could target attackers looking for specific vulnerabilities. For example, a medium interaction honeypot might emulate a Microsoft IIS web server and have sophisticated enough functionality to attract a certain attack that researchers want more information about.

Reducing Risk When Using a High Interaction Honeypot

Using a high interaction honeypot is the best way of using deception technology to fool attackers and get the most information out of an attempted breach. Sophisticated honeypots can simulate multiple hosts or network topologies, include HTTP and FTP servers and virtual IP addresses. The technology can identify returning hackers by marking them with a unique passive fingerprint. You could also use your honeypot solution to separate internal and external deception, keeping you safe from cyber threats that move East-West as well as North-South.

Mitigating the risk of using a high interaction honeypot is easiest when you choose a security solution that uses honeypot technology as one branch of an in-depth solution. Micro-segmentation technology is a powerful way to segment your live environment from your honeypot decoy, ensuring that attackers cannot make lateral moves to sensitive data. With the information you glean from an isolated attacker, you can enforce and strengthen your policy creation to double down on your security overall.

Sweeter than Honey

Understanding the differences between low, medium and high interaction honeypot solutions can help you make the smart choice for your company. While a low interaction honeypot might be simple to deploy and low risk, the real benefits come from using a strong, multi-faceted approach to breach detection and incident response that uses the latest high interaction honeypot technology. For ultimate security, a solution that utilizes micro-segmentation ensures an isolated environment for the honeypot. This lets you rest assured that you aren’t opening yourself up to unnecessary risk while reaping the rewards of a honeypot solution.

Using Dynamic Honeypot Cyber Security: What Do I Need to Know?

Honeypots are systems on your network that attract and reroute hackers away from your servers, trapping them to identify malicious activities before they can cause harm. The perfect decoy, they often containing false information, without providing access to any live data. Honeypots are a valuable tool for uncovering information about your adversaries in a no-risk environment. A more sophisticated honeypot can even divert attackers in real-time as they attempt to access your network.

How Does Honeypot Security Work?

The design of the honeypot security system is extremely important. The system should be created to look as similar as possible to your real servers and databases, both internally and externally. While it looks like your network, the actual honeypot is a replica, entirely disparate from your real server. Throughout an attack, your honeypot is able to be monitored closely by your IT team.

A honeypot is built to trick attackers into breaking into that system instead of elsewhere. The value of a honeypot is in being hacked. This means that the security controls on your honeypot need to be weaker than on your real server. The balance is essential. Too strong, and attackers won’t be able to make a move. Too weak, and they may suspect a trap.

Your security team will need to decide whether to deploy a low-interaction honeypot or a high-interaction honeypot. A low-interaction solution will be a less effective decoy, but easier to create and manage, while a high-interaction system will provide a more perfect replica of your network, but involve more effort for IT. This could include tools for tricking returning attackers or separating external and internal deception.

What Can a Honeypot Cyber Security System Do?

Your honeypot cyber security system should be able to simulate multiple virtual hosts at the same time, assign hackers with a unique passive fingerprint, simulate numerous TCP/IP stacks and network topologies, and set up HTTP and FTP servers as well as virtual IP addresses with UNIX applications.

The type of information you glean depends on the kind of honeypot security you have deployed. There are two main kinds:

Research Honeypot: This type of honeypot security is usually favored by educational institutions, researchers and non-profits. By uncovering the motives and behavior of hackers, research teams such as Guardicore Labs can learn the tactics the hacking community are using. They can then spread awareness and new intelligence to prevent threats, promoting innovation and collaboration within the cyber security community.

Production Honeypot: More often used by enterprises and organizations, production honeypot cyber security measures are used to mitigate the risk of an attacker on their own network, and to learn more about the motives of bad actors on their data and security.

These honeypots have one particular element in common: the drive to get into the mind of the attacker and recognize the way they move and respond. By attracting and tracking adversaries, and wasting their time, you can reinforce your security posture with accurate information.

What are the Benefits of Honeypot Security?

Unlike a firewall, a honeypot is designed to identify both internal and external threats. While a firewall can prevent attackers getting in, a honeypot can detect internal threats and become a second line of defense when a firewall is breached. A honeypot cyber security method therefore gives you greater intelligence and threat detection than a firewall alone, and an added layer of security against malware and database attacks.

As honeypots are not supposed to have any traffic, all traffic found is malicious by its very existence. This means you have unparalleled ease of detection and no anomalies to question before you start learning about possible attacks. This system provides smaller datasets that are entirely high-value, as your IT and analytics team does not have to filter out legitimate traffic.

Honeypot security also puts you ahead of the game. While your attackers believe they have made their way into your network, you have diverted their attacks to a system with no value. Your security team is given early warning against new and emerging attacks, even those that do not have known attack signatures.

Making Valuable Use of Honeypot Security

More recently, sophisticated honeypots support the active prevention of attacks. A comprehensive honeypot security solution can redirect opportunistic hackers from real servers to your honeypot, learning about their intentions and following their moves, before ending the incident internally with no harm done.

Using cutting-edge security technology, a honeypot can divert a hacker in real-time, re-routing them away from your actual systems and to a virtualized environment where they can do no harm. Dynamic deception methods generate live environments that adapt to the attackers, identifying their methods without disrupting your data center performance.

You can then use the information you receive from the zero-risk attack to build policies against malicious domains, IP addresses and file hashes within traffic flows, creating an environment of comprehensive breach detection.

It’s important to remember that a high-interaction honeypot without endpoint security could be used as a launch pad for attacks against legitimate data and truly valuable assets. Honeypots are intended to invite attackers, and therefore add risk and complexity to your IT ecosystem. As with any tool, honeypots work best when they are integrated as part of a comprehensive solution for a strong security posture. The best cyber-security choice for your organization will incorporate honeypots as a detection and prevention tool, while utilizing additional powerful security measures to protect your live production environment.

Virtualization and Cloud review comment that while honeypots and other methods of intrusion detection “are usable in a classical environment, they really shine in the kinds of highly automated and orchestrated environments that make use of microsegmentation.”

Honeypot security systems can add a valuable layer of security to your IT systems and give you an incomparable chance to observe hackers in action, and learn from their behavior. You can gather valuable insight on new attack vectors, security weaknesses and malware, using this to better train your staff and defend your network. With the help of micro-segmentation, your honeypot security strategy does not need to leave you open to risk, and can support an advanced security posture for your entire organization.

Deception Technology Grows and Evolves

Deception technologies such as honeypots are becoming increasingly popular with enterprises as the products get more flexible and the tools allow security analysts swamped with incident reports to zero in on cases of actual ongoing infiltration. According to a report released in August by research firm Technavio, the deception technology market is growing at a compound annual growth rate of 9 percent, and is predicted to reach $1.33 billion by 2020.

Deception-Based Security Gains Steam as GuardiCore Raises $20m

Organizations have historically dealt with breach attempts by trying to block the hacker as fast as possible and only stopping to investigate after the fact. But now, the security community is starting to adopt a new approach: Letting attacks play out in controlled conditions to gain a deeper understanding of the threat. The method is being popularized mainly by emerging startups like Israel’s GuardiCore Ltd., which raised $20 million in funding this morning to fuel its efforts.

A New Cloud Security Unicorn Will Rise From The Cybersecurity Ashes

CISOs developing a roadmap to secure their cloud environments should be prepared for significantly more orchestration work than for securing SaaS. With the extra work will come significant rewards. Bold CIOs and CISOs will take a leap of faith and partner with security innovators to orchestrate their own cloud security systems. GuardiCore and deception technology is listed as one of them.

Yup, We Can See It Coming

On December 17th, 2015 Juniper issued an advisory indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons. There are speculations that the backdoor was installed by “State Sponsored” actors.  Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. (So much for Government efficiency hiding their actions)

To read more, click here

Pay No Attention to the Man Behind the Curtain!

How do you detect a security breach inside your network? How do you collect the necessary intelligence to protect your assets properly? Sun Tzu, author of The Art of War, said that convincing your opponents to unveil their identity without knowing that they are being watched is one of the most important keys to winning a war. Attack deception is one of the best techniques to make attackers unveil their identity and gain valuable intelligence. While it is not new, advanced attack deception methods take advantage of Sun Tzu’s strategy.

Read more

Caught red handed – Alex

Opportunistic hackers are far from the limelight these days but they still exist and can cause large amounts of damage if they manage to break into your systems. We’ve recently observed our Data Center Security Suite catch such a hacker, an “Alex” from Romania who has kindly enough supplied his own name and private domain for publicity.

Read more

Gartner: Threat Deception Promises to Deliver Game-Changing Impact

Earlier this month, Gartner released a new research* focusing on threat deception technologies.

Gartner finds deception an attractive new capability for larger organizations desiring advanced threat detection and defense solutions. According to Gartner, new deception techniques and capabilities “promise to deliver game-changing impact on how threats are faced.”

For us at GuardiCore, this is not surprising. During the past months we have been working closely with our customers and witnessed how the GuardiCore solution is “changing the game” with automated, real-time threat detection and response inside datacenters and clouds. Read more