Because of the increasing complex evasion techniques and protocols with encryption technology for preventing eavesdropping, intrusion detection systems provide less and less useful information and have higher and higher false positives rate. Honeypot technology can help us solve some problems like these. Honeypot technology has been developed as a security tool for nearly 20 years. In January 1991, a group of Dutch hackers tried to enter a system at Bell Labs. At that time, a research team at Bell Labs led the hackers to a “digital sandbox” that they managed. This is considered to be the first application of honeypot technology.
The value of a honeypot can be measured by the information it can obtain through monitoring the data in and out of the honeypot to collect information that NIDS cannot. For example, even if encryption technology is used to protect network traffic, we can still record keystrokes in an interactive session. In order to detect malicious behaviors, intrusion detection systems require known attack characteristics, but usually unknown attacks cannot be detected. On the other hand, honeypots can detect unknown attacks. For example, by observing the network traffic leaving the honeypot, we can detect threats of vulnerabilities, even if they have never seen a vulnerability exploit. Because honeypots have no production value, any attempt to connect honeypots is considered suspicious. Therefore, analyzing the data collected by the honeypot produces fewer false alarms than the data collected by the intrusion detection system. With the help of honeypots, most of the data we collect can help us understand the attack.
Honeypot deployment methods and bait complexity vary. One way to classify different types of honeypots is by their degree of participation or interaction:
- High-interactive honeypots are usually built based on real application environments and can provide real services. The high-interaction honeypot can be used to obtain a large amount of information and can capture a variety of operation behaviors of the attacker, thereby having the ability to discover new attack methods and exploit methods. Since high-interaction honeypots provide attackers with a relatively real application environment, they are at greater risk and usually focus on data control functions.
- Low-interaction honeypots usually only provide a small number of interactive functions. Honeypots monitor connections and record data packets on specific ports, which can be used to implement port scanning and brute force detection. The low-interaction honeypot has a simple structure and is easy to install and deploy. Due to the low level of simulation and few functions, the collected information is limited but the risk is also low.
- High-interaction honeypots can be completely compromised, allowing adversaries to gain full access to the system and carry out further network attacks. In contrast, low-interaction honeypots only simulate some services, and low-handed people cannot use these services to gain full access to honeypots. Low-interaction honeypots have more restrictions, but they help gather information at a higher level. For example, understanding network detection or worm activity, they can also be used to analyze spam, or proactively protect against worms.
LIFARS’ Managed Incident Response Solution premieres our optimized CyberSecurity combo-offering that features ongoing expert incident response, forensics, and remediation with additions to include proactive threat hunting services. Enhance your existing SOC’s effectiveness with expert incident response, forensics, remediation, proactive threat hunting and more. Our Managed Response & Remediation Threat Hunting Service is coupled with the MRR Solution to conduct hunts on a monthly, quarterly, or annual basis. Leveraging our unique experience with public and non-public TTP’s and IOCs. We leverage the latest IOC’s and data analytics algorithms based on the Tactics, Techniques, and Procedures that attackers are known to use. We utilize Machine Learning, Artificial Intelligence, Behavioral Forensic Artifacts, and Threat Intelligence to detect ongoing or zero-day cyberattacks and Advanced Persistent Threats (APTs). MRR Threat Hunting Process:
- We define key objectives for each hunt mission we engage in.
- Our experts interrogate and collect security data from your SoC and alerts we have actioned.
- We conduct Investigations to uncover IOCs, malicious patterns, symptoms and adversarial Tactics, Techniques and Procedures.
- Deeper insights and reporting to provide optimal recommendations
Contact LIFARS Immediately For
Mitigating Cyber Risks in Your Organization