According to the Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities released by Gartner in 2015, “Deception technologies are defined by the use of deceit and/or feints designed to thwart or throw off an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or disrupt breach progression. Deceptions are achieved through use of deceitful responses, purposeful obfuscations, feints, misdirections and other falsehoods.” Gartner also predicted the market of deception-based security defense technologies, saying that 10 percent of enterprises will use deception tools or tactics to counter cyberattacks by 2018.
Honeypot technology is essentially a technology to deceive attackers. By deploying some hosts, web services, or information as bait to attract attackers, it can help capture and analyze the attack behaviors, understand the attack tools and methods, and speculate attack intention and motives, thus enabling the defenders to clearly understand the security threats, and strengthen the security protection of the live systems through technical and managerial methods.
In fact, honeypot technology is not new, and has been around for years. As a rather “traditional” security technology, its value was not recognized by most enterprises for it was not put into practical use. At that time, this technology was usually applied by security researchers to capture attacks and do research within a small scale.
Nowadays, the passive boundary defense system of most financial departments is gradually becoming perfect. But as a series of security incidents have occurred in recent years, the security managers of financial organizations are paying more and more attention to the completeness of their own security system, especially in how to address APT attacks and internal threats, which has become a pressing need.
Honeypot technology is essentially a technology to deceive attackers. By deploying some hosts, web services, or information as bait to attract attackers, it can help capture and analyze the attack behaviors, understand the attack tools and methods, and speculate attack intention and motives, and then enhance its own security defense system. So it is an active security defense method.
- About Honeypot Technology
According to the ways of implementation, honeypots can be divided into passive honeypots and active deceptive honeypots.
Passive honeypots are more likely to be implemented by simulating some services such as a vulnerable web service, SSH service, RDP service, or ES service, and some passive honeypots are even implemented through trap files and databases. Such passive honeypot systems are characterized by the need for attackers to be able to detect and attack these services. Considering this, the rational deployment of the passive honeypot system is the key.
However, the active deceptive honeypot system simulates the normal traffic and adds content of interest into the traffic, such as user names and passwords, so as to induce the attackers to visit the trap service system and find their traces. Active deceptive honeypot systems are mainly used to deal with attackers who try to obtain sensitive information through intranet monitoring.
According to the interaction between honeypots and the attackers, honeypots are usually divided into high-interaction honeypots and low-interaction honeypots.
High-interaction honeypots usually simulate a real or highly simulated system environment. They provide a real environment, which is highly confusing and thus able to record more activities and behaviors of the attackers. Its drawbacks are also obvious. Such systems are easy to become a springboard for attackers. Besides, they are too expensive to be deployed widely, their value is relatively limited.
A low-interaction honeypot can obtain only limited attack behaviors (usually against the simulated service) by simulating services, using trap files, and so on. Generally, we are used to turning low-interaction honeypots into micro honeypots. Honeypot vendors in this area usually make the micro honeypots into distributed ones, which can be directly deployed on business servers or office terminals. While micro honeypots can be seen as a simplified version of high-interaction honeypots, they can be very useful if deployed widely and used with appropriate hiding techniques.
- Recommended Ways of Deployment
As mentioned above, the micro honeypot can be directly deployed on business servers and office network terminal machines. Because of the characteristics of the financial sector, honeypots are often deployed on the office network which is easy to become a springboard. On one hand, such a mode of deployment can directly avoid the interference to business servers. On the other hand, the application of micro honeypots is applying “human wave tactic” in an asymmetric network war, which comprehensively considers the security of low interaction service simulation and the ability of distributed deployment.
In addition, if financial enterprises’ security managers consider deploying micro honeypots on business servers, they can choose a most proper deployment system to maximize the value of micro honeypots while minimizing the interference to business. Financial institutions can deploy honeypot systems according to their own characteristics. Generally, we recommend deploying honeypots around vulnerable business servers and servers with core business data.
- Application Value of Micro Honeypots
First of all, the application value of the honeypot itself is different. Unlike such security products as WAF and IPS, honeypots can usually generate alert information of high value. In my opinion, in case honeypots are deployed on an intranet, it is worth security managers’ while to track each alert and complete the closed-loop security management.
Set up a separate network area to expose the services simulated by the micro honeypots to the Internet. As one of the enterprise threat intelligence sources, it can feed the intelligence to the security devices so as to actively block attackers, thus effectively making up for some deficiencies of the passive security defense system.
The above content is only a simple discussion on the application of the micro honeypot system in the financial sector. We are looking forward to your exchange of ideas with us for more diverse applications of the system.