It is important for security practitioners to have a clear understanding of current and emerging cyber threats to their enterprise. One of the tools available to them in their arsenal (but seldom used) is the deployment of honeypots as baits in their environment.
Honeypots as a security technology has been in existence from 2000, they were advances made on earlier solutions like a (chroot) jail as described in the 1991 path breaking paper by B Cheswick “An evening with berferd in which a cracker is lured, endured and studied”.
Honeypots however did not gain wide acceptance, as they did not yield commensurate benefits, being cumbersome to deploy and manage within an enterprise environment. On the other hand, they became excellent tools for researchers to study and observe the attackers.
This technology today has matured into a full-blown enterprise solution with easy to deploy sensors (or honeypots). It is therefore not surprising, when one of the solution providers’ blogs about it with a catchy headline “Dynamic Deception Operations: It’s Not Your Daddy’s Honeypot”. Analysts have taken note of the maturity in this space and Gartner published a report “Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities” in Jul 2015 and refreshed it in Sep 2016.
Gartner divides the enterprise environment into four layers, which it calls the deception stack, namely network, endpoint, application, and data. Leading vendors in this space provide solutions, which have features like:
- Full-stack deception
- Dynamically created content
- Targeted threat intel collection
- Rapid forensic triage
- Smart / rule-based integrations
- Machine learning for attack analysis
- Visual attack reconstruction
When used to improve the detection capabilities of a SIEM solution, this technology claims to provide the security analyst the much-required capability to disrupt the kill chain. Obviously, this solution is now ready for a field trial (or a PoC) within mature enterprises to test this claim.
Looking for insights if anyone has implemented such a solution and the benefits they accrued.