Posted by John Bradshaw, Vice President of World Wide Sales Engineering
Enterprise Deception Operations arrived on the scene recently, but that has not stopped the proliferation of terminology already being bandied about in the industry. For those that have read previous blog postings from me (Back to Basic) you know I am one that likes to clear the fog early in discussions so everyone is talking apples to apples. Today that discussion is going to focus on the different types of honeypots comprising Enterprise Deception Operations.
There are three types of honeypots you can consider deploying in your enterprise as part of your deception: Low, Medium and High Interaction Honeypots. Each type has its pros and cons. Understanding what those are, and more importantly, how your security operations and incident response workflows will actually utilize them can help you make the correct choices.
Low Interaction Honeypots: A Low Interaction Honeypot (LIH) in simplest terms is a “dumb listener”. It opens a service port and waits for the adversary to initiate a network connection. The LIH cannot speak the protocol, but it will record every packet sent by the attacker and will do rudimentary acknowledgements in an attempt to entice more responses.
- An open service port entices the attacker to probe it further
- Good for capturing unsophisticated attackers and propagating malware
- Easy to cover services not available or difficult to deploy in Medium and High Interaction Honeypots
- They are easy to design and are lightweight making them highly scalable
- A connection is a conviction – it provides high fidelity with no signatures
- Automated response workflows can quickly take advantage to isolate the compromised endpoint
- Forensic evidence is limited to a few network packets captured
- Advanced adversaries quickly change tactics and will attempt to cover their tracks
- The trap may spring too early without automated responses and you could lose the adversary
- You will not learn much about the adversary’s tactics, techniques and procedures (TTPs)
Medium Interaction Honeypots: A Medium Interaction Honeypot (MIH) emulates key services or behaviors of the operating system it is masquerading. The intent of the MIH is to either stall, confuse or delay the adversary giving the SOC/IR team sufficient time to assess the attack and determine appropriate isolation or remediation actions. It will provide a subset of commands commonly executed by intruders and present a file system and service interactions that appear normal. MIHs will not stand up to prolonged scrutiny by an adversary, but that is not what they are designed to do.
- Stands up to more intensive remote probes from adversaries
- Provides visibility into the early TTPs of the adversary
- Permits the adversary to interact with the decoy file system, allowing both the upload and download of files
- Permits the adversary to “exploit” the target as if it were a live system
- Helps reveal the attacker’s intended objective in your organization
- Provides detailed forensics on how the adversary interrogates targets
- If automated responses are not possible, MIH provides additional time for manual responses
- They are not vulnerable to the exploits a High Interactive Honeypot will have
- There is no licensing or installation costs for the operating system or applications – they are emulated, and as such, do not actually exist
- Emulations have smaller footprints and can easily scale to numbers required to complete the deception environment
- An interaction is a conviction – with verifiable intent
- While the illusion is extended greatly beyond LIH, it does not last forever
- Additional configuration steps are required to make the deception as realistic as possible
- MIH solutions will cost more than LIH due to increased design and development costs
- MIH solutions will require more updates than LIH to keep in step with service and operating system changes
High Interaction Honeypots: A High Interaction Honeypot (HIH) is a full-blown, actual operating system or device and has installed applications or services desired to complete the deception. The intent of an HIH is to hold the attacker in the illusion indefinitely while the forensics team gathers every scrap of intelligence possible about the adversary.
- Provides the richest, truest interaction environment for the adversary
- Can hold the adversary in the illusion for the longest possible timeframe
- Allows for the most customization and population of real-world data
- Incurs licensing and maintenance costs from the vendor or supplier
- Utilizing infrastructure gear and other proprietary devices or appliances can be cost prohibitive
- Can introduce unknown vulnerabilities, allowing the adversary to breach your internal security defenses
- Are not inherently designed for forensic capture – requires additional software and design considerations
- Footprint is more resource intensive, introducing enterprise scalability issues
- Even virtualized HIH require resources that limit the feasible amount of deployed decoys in an enterprise
- Unless you are a security vendor or intelligence gathering entity, the added value gained from allowing the attacker additional time in the decoy diminishes rapidly in comparison to increased costs, care and feeding
Which One Is Best For You?
I cannot answer that for you. But I can have an open and detailed discussion and help you arrive at the right answer. The main thing to remember is: What is the primary objective of your Security Operations team? If you are like most businesses, I am willing to bet it is:
- Prevent Loss of Intellectual and Proprietary Information
- Stop Damage from Occurring
- Eliminate or Minimize Financial Loss
- Maintain Company and Brand Reputation
- Make Every Breach a Non-Impactful Event
If your SOC team has an SLA to respond to high priority alerts in minutes – then your primary deception strategy should be focused around the most cost effective method of delivering that time frame. Creating an illusion that will allow the attacker hours of play time will not make sense.
If you plan to integrate adversary interactions with your other security solutions, reviewing each potential workflow will help guide you to what level of interaction is required to achieve your goal.
In most cases, Medium Interaction Honeypots will provide the primary deception environment, with Low and High Interaction Honeypots filling gaps and special use case scenarios.
The TrapX Approach
TrapX supports Low, Medium and High Interaction capabilities using our DeceptionGridTM solution. We provide high fidelity, low volume of alerts around connection and reconnaissance activities; a wide array of emulation targets allowing for medium interaction capabilities, and database and web high interaction service capabilities that scale without escalating costs described above – and we are adding more capabilities every month.
Are you ready to see deception in action?