Celebrating the 30th Anniversary of Honeypots
Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – The word “honeypot” has a specific connotation. Within the world of cybersecurity, it generally refers to a trap set for an attacker, designed to lure them into revealing their intent to attack the network. Unfortunately, it’s a word that also sounds outdated or could be viewed as complex with a high grief to reward ratio. However, this technology has come a long way since the early days of the honeypot in the 1990s. The ongoing cat-and-mouse game between attackers and defenders necessitates constant evolution and improvement, which means that the concepts behind honeypot technology are limited in value and will never have broad appeal – or so one might think!
The truth is that in many ways, honeypot technology lives on. Its new form of distributed deception platforms has clearly changed, with its techniques becoming more advanced. It now incorporates not only decoys and lures, but also the ability to hide the production assets themselves. Modern deception technology owes quite a bit to those early honeypot concepts. However, today’s cyber deception barely resembles what was seen in yesteryear’s honeypot devices. Research and advisory bodies like MITRE and the National Institute of Standards and Technology (NIST) have recognized and covered the value of honeypots and their descendent technologies over the years, firmly establishing that detection based on attacker technique, as opposed to signatures or pattern matching, plays an important—and enduring—role in cybersecurity.
The Origins of the Honeypot
The earliest honeypot techniques were showcased in Clifford Stoll’s 1989 book The Cuckoo’s Egg and the earliest documented case of a honeypot being used in cybersecurity began in January 1991, for which we’ll use as basis for this being the 30 year anniversary of cyber honeypots.
Early honeypots were straightforward. Placed on the network edge, users primarily utilized them for research purposes to see who was attempting to compromise the network and how. Unfortunately, they required considerable resources to set up and maintain. The technology first began to attract more mainstream attention in 1999, when Lance Spitzner introduced the Honeynet Project—a cybersecurity research organization that still exists today.
The first easily deployable virtual honeypot was developed in 2007 by Niels Provos. The tool, known as “honeyd,” could emulate virtual hosts on a network specifically designed to detect the presence of an attacker. As with earlier forms of the honeypot, users would place these fake assets on the perimeter of a production network and wait for inbound traffic to engage with the decoy. At this point, the honeypot was still primarily useful as a research tool: good at gathering adversary intelligence, but not so much at in-network threat detection.
The Birth of Deception Technology
The advent of what would become known as deception technology changed that by building on honeypot technology to turn a passive tool into one geared toward active defense. Distributed deception platforms involve decoy assets familiar in general concept to anyone acquainted with honeypot technology. However, they are more than just a handful of decoys at the edge of the network. Distributed deception platforms moved the technology inward, placing deceptive assets throughout the network. These assets might include decoy credentials placed on network endpoints designed to trick attackers into attempting to use them or decoy file shares or network objects designed to lure attackers into interacting with them. It might even include deceptive AD objects designed to trip up attackers that have infiltrated the most vulnerable areas of the network. Unlike early honeypots, distributed deception platforms can automatically generate these decoy assets to appear authentic based upon the network environment in which they get deployed. It is noteworthy that modern deception has solved the scalability challenges and complexity that was inherent in honeypots. Native integrations for information sharing and incident response automation are also delivering seamless operations with mainstream security devices.
Something else that distinguishes modern deception technology from its honeypot ancestors is using concealment and misdirection to protect real network assets further. Rather than simply seeding deceptive assets throughout the network for the adversary to interact with, the concealment aspect of today’s technology hides real production objects from the attacker entirely. Deception platforms can hide sensitive or critical data and assets, such as local files, folders, mapped shares, Active Directory objects, and even production credentials. Modern deception also leaves breadcrumbs within the network, proactively diverting attackers away from valuable assets and leading them instead toward decoys and traps—and ultimately into a deception environment where defenders can safely observe their actions. This function allows defenders to gather intelligence on their tactics, techniques, and procedures (TTPs). In some ways, this is a natural extension of the research component of those early honeypots.
Deception Technology Has Come a Long Way
Whereas early honeypots were designed to attract adversaries at the network edge, cyber deception technology is invaluable for quickly detecting lateral movement within the network itself. Today’s attackers are no longer content with simple smash-and-grab attacks. They have grown increasingly comfortable moving within the network to conduct reconnaissance and identify the most valuable assets to steal or encrypt. The sooner defenders can detect these intruders, the less likely they can do significant damage. Research by Enterprise Management Associates (AMA) recorded the reduction in dwell time down to an average of 6 days, which at the time was a 90% reduction over other methods.
MITRE®, a respected cybersecurity advisory body, recently released MITRE Engage, complementing its more well-known MITRE ATT&CK® matrix. MITRE Engage focuses on building a successful active defense strategy based on adversary engagement. Unsurprisingly, cyber deception technology factors heavily into the strategies and use cases outlined within. Deception’s ability to engage attackers and generate valuable adversary intelligence makes it a unique element of active defense. And MITRE isn’t alone: recent NIST guidance has emphasized the important role of deception technology within today’s threat landscape. Even the National Security Agency recently released a special publication focused on deception technology. Truly, the honeypot’s descendants had a major impact on the cybersecurity world—not bad for something that started as a network perimeter research tool.
Honoring the Heritage of Deception Technology
Because many generally view the honeypot as outdated technology, some security experts are wary of even saying “the ‘H’ word” for fear of making their technology sound obsolete. But without the honeypot, deception technology and other essential elements of modern cybersecurity would not exist. Ignoring the contributions that the honeypot has made to modern security technology would be a shame. As security experts, let us choose to honor the heritage of the tools that have had such a positive impact on cybersecurity.
Tricking attackers into interacting with a deceptive asset is still an important element of cybersecurity, but today’s technology engages attackers more proactively. Where honeypots were low interaction, today’s decoys are high interaction, providing a fully operating system with which the attacker can interact. The addition of concealment and misdirection have further built upon the scaffolding provided by honeypot technology, turning a once-passive research tool into an essential element of active defense. One should not forget the honeypot but instead, celebrate it for its essential contributions to the shape of today’s cybersecurity landscape. Happy 30th Anniversary honeypots, I tip a glass to you!
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise