Honeypots: A walk down memory lane

Honeypots have been around for quite some time now as decoy servers to lure hackers into compromising their systems so that security professionals can study them and learn how to defend against attacks. By pretending to be an important system, the Honeypot attracts hackers to compromise it. In fact, the Honeypot pretends to be something else entirely, usually a server running a fake operating system. It’s then isolated from the rest of the internet and closely observed by security experts. 

Honeypots are essentially mirrors of real networks. They passively monitor traffic and record what happens. Unlike active scanners, Honeypots do not actively probe targets. Instead, they lure attackers and trick them into revealing valuable details about themselves. 

The Honeypot idea dates back to the first true cyber war in 1983, when an American researcher named Cliff Stoll discovered a hole in a network at Lawrence Berkeley National Laboratory. He called it the “Honeypot” because he thought it would lure hackers into thinking they were getting something valuable. But instead of being lured in, the hackers attacked the honey pot, and Stoll learned how to defend against them. In his book, Stoll describes how he used a program called Honeytongue to track down the source of the attacks. When he found out that the hackers had come from West Germany, he went to the Federal Bureau of Investigation (FBI) and asked if they could get him a German translator. They did, and then sent Stoll to Europe to find the hackers. After tracking them down, Stoll persuaded them to give him access to their computers so he could figure out what they were doing. What he found was that the Russians were trying to steal Star Wars secrets. Stoll turned the tables on the Russians and got them arrested. 

Fast forward today, as advanced and sophisticated cybercrime mounts, conventional Honeypot technology has vastly evolved since its original inception. 

The need for deception 

Whether it’s sports, gaming or warfare, deception is critical to any successful strategy. Clearly, cybersecurity researchers would be lost without it. If that’s the case, then why isn’t deception a mainstay in every security operations center (SOC)? 

Legacy Honeypots may be partly responsible for their early success and reputation. Today, modern deception technology is useful for more than cyber-intelligence only; it’s also a great tool for reducing risks and mitigating attacks. Unlike traditional Honeypots, modern deception tools are inexpensive to set up and maintain, and they require minimal effort to configure and manage. And it doesn’t have to be fancy—it can be as simple as a single computer running a Linux operating system. By hiding valuable information in plain sight, modern deception solutions help organizations detect attackers before they do any damage, thereby saving money and resources. And because they can be deployed anywhere on your network, they allow you to see what attackers are doing without having to spend time monitoring every device. 

The vast expansion of our attack surface exposes us to bigger threats today, encompassing virtualized environments, clouds, Internet of Things (IoT) connected appliances, remote working and IT / OT convergence. Virtual deception solutions are easier to deploy than physical ones, they come with isolation capabilities, licensing for the decoy assets, as well as security and compliance built-in the solution. Therefore, the classical Honeypot has been overtaken largely by modern and automated deception technologies. 

Threat Sensors 

Unlike Legacy Honeypots, Threat Sensor do not expose actual assets to lure attacks. They are emulated decoys that provide medium interaction capabilities to attackers. Instead, they act as a master translator/communicator on the networks that project a “Hologram” of servers and device and speak their native languages to attackers or malware. Since the “assets” are holograms mimicking real objects, they are fast and easy to deploy. Suddenly the number game turns into an advantage to the defensive side and the objective of deception becomes to detect and remediate attacks – not to study them. 

Unfortunately, the vendor communities blur the lines between detection systems, emulation systems, and lure generation systems, leading companies to believe they must pick one over another. However, they are all valuable and when used correctly will function in an enhancing conformity. 

Regardless of whether Honeypots are good or bad for business, they’re not new. Their reputation has been vested by history. Emulations, however, carry a different kind of value, delivering new technological possibilities. 

Threat Sensors are a type of deception that uses emulation technology to mimic real assets with minimal outlay. Security professionals are enabled to identify threat actors that target their systems and networks. They provide lightweight deployment at a low cost and automatic detection capabilities. 

A brief history of Honeypots 

The best-know Honeypot technology is Honeyd open-sourced code for Unix/Linux, which was originally written and is currently being maintained by Neil Proverbs. It can emulate various operational systems and services at the TCP / IP stack level. Its primary purpose is to detect intrusions by watching all the unused IP addresses in a network simultaneously. Attempted connections to unused IP addresses are presumed to be unauthorized or malicious activities. 

The first major release occurred in 2003. Back then, advanced persistent threats (aka. APTs) were unheard of. Neither did Facebook, LinkedIn, Google, iPhones, nor the cloud exist. The internet and telecommunication networks hadn’t yet converged. Today’s IT environments are very different, and they call for a different kind of Honeypot. 

Commercial emulators Honeypots 

Metallic® ThreatWise™ deception technology introduces Threat Sensors (also called emulated or medium interaction decoys). These Sensors are linked via the network layer of the TCP stack level to the organizational network, meaning they have an IP. They are indistinguishable from real assets, and do not require licenses and computing resources. Unlike traditional Honeypots, that are built for learning, Threat Sensors are designed to catch attackers. The detection of threat actors requires only enough interaction to indisputably identify malicious activity, as well as clear documentation of techniques used. The Threat Sensors are built on a lightweight and low-touch approach, offering unique advantages over full interaction Honeypot: 

• Broad scalability 
• Rapid deployment 
• Low risk, as emulations aren’t real assets
• Agentless 
• OT and IoT support 

Threat Sensors open up new opportunities for the defensive side, allowing you to expand your early warning capabilities by increasing your (fake) attack surface. It goes beyond conventional cybersecurity wisdom, but it works! 

Emulation makes it easier for attackers to target fake assets instead of real ones. Risk is reduced instantly as adversaries are less likely to reach the real target. 

Emulated assets are ideal for securing complex IT infrastructure, including OT, IoT, and industry unique assets because they’re agentless and don’t have a touch point with any real devices. They observe traffic patterns, gather information from them and occupy attackers’ resources. Because they don’t interact with anything real, they can be deployed seamlessly into an existing network without affecting normal operation. 

Rise of deception technology 

With millions of connected devices, bad actors find countless ways to hack into them. Today’s attackers exploit vulnerabilities in software and hardware that are difficult for traditional anti-virus programs to detect. These vulnerabilities leave computers and networks open to being attacked. 

Deception technology can be used to counter cyberattacks. The MITRE organization has developed a new framework called Shield which uses deception to defend against APTs. 

Cybersecurity deception technologies give cyber criminals a false sense of safety, allowing them to interact with deceptive network assets which feel real to an attacker. These tricks protect real assets from attack while occupying threat actors’ resources to give organizations enough time to respond. 

Deception technology benefits include: 

• Early threat detection 
• Compatibility with any IP addressable devices 
• Fast scalability  
• Efficiency in cost 

What’s old is old again 

It’s time to bring back deception into the modern era. We’ve moved past the days of the early 2000s when Honeypots were only used for intelligence purposes. Today, we’re seeing Honeypots being used across multiple networks, including public clouds, virtualized environments, and remote offices. Threat Sensors can be used to detect threats in these new environments and enhance the techniques of the early 2000s to the modern work environment. 

Visit Metallic.io to learn more.