Roger Grimes recently published an article in InfoWorld, “No Honeypot? Don't Bother Calling Yourself a Security Pro,” that argues honeypots should be a pivotal part of any company’s security strategy. He notes that honeypots “can easily capture zero-day exploits, freshly minted malware, and roaming APT hackers,” which are some of the key drivers behind the Detection Gap problem. Despite that, Grimes notes that many businesses have yet to even use them.
So, what’s the holdup? I think many organizations have shied away from honeypots because of perceived difficulties in setting them up and operating them. Traditionally, honeypots also have required highly skilled security professionals to monitor them, scaring off some potential adopters. Also, some organizations mistakenly believe that multilayered firewall, intrusion prevention, antivirus and other defenses provide adequate protection.
Five years ago, I regularly taught a 5-day course on using honeypot technology for advanced intrusion detection, analysis, and response. Back then, only the government could afford to employ such tactics, and those users found honeypot technologies to be invaluable in detecting zero-day and other “undetectable” threats within those applications. Of course, in those days, government was believed to be the only target of advanced persistent threats (APTs). Unfortunately that is no longer the case.
Today’s situation is much different. Advanced threats are pervasive, driven in part by a thriving dark-side economy. It seems like every week we read another report of a successful attack on a large – or even small – commercial enterprise.
The good news is that next-generation honeynet solutions are much more accessible to organizations that are facing the challenges of the Detection Gap. A product like CT Scout, which offers an enterprise-ready platform for next-generation honeynet deployments, is being used by leading enterprises worldwide, to gain critical intelligence on advanced threats and harden their defenses.
Roger Grimes and I are in agreement – if you are not yet running a honeypot, it’s time to.