In today’s ever evolving world of cyber threats, attackers are constantly adapting their strategy to evade detection, making the job of cybersecurity professionals a constant challenge. Each new defensive measure is met with new tactics aimed at finding a way around it. As the Irish Republican Army once remarked after a failed bombing attempt, “Today we were unlucky, but remember, we only have to be lucky once. You have to be lucky always.” This sentiment rings true in cybersecurity: while attackers only need one success, defenders must be on our game always and quickly adapt to emerging threats. To stay ahead, we must leverage every tool at our disposal — and one particularly powerful tool is the honeypot.
A honeypot acts as a decoy system, baiting attackers toward a “soft target” instead of our actual production systems. Think of it like a fake wallet in a high-crime area, designed to distract a pickpocket but with the added benefit of monitoring to gather information on the “thief.” Honeypots also provide early alerts, help us learn the tools and tactics (TTPs) attackers employ, and allow evidence collection without compromising the real network.
Honeypots vary in complexity, depending on the security team’s resources. They can range from full-scale simulations that mimic production environments (even containing simulated sensitive data) to low-interaction honeypots designed primarily for early threat detection. But do they work? Let’s look at a few real-world cases.
Case Study 1 – GoSecure Research
A team at GoSecure set up a virtual machine (VM) as a honeypot with a vulnerable RDP connection, deploying custom interception tools and screen recording software. Over three years, this honeypot attracted more than 2,000 attackers, logging 21 million login attempts — of which 2,600 were successful. The data gathered included 470 uploaded files and 339 videos capturing attack behaviors and tools. Interestingly, some attackers displayed little concern for anonymity, with one creating a password that appeared to include their name, and others logging into personal apps like Telegram which gave researcher potential information on the attackers. Although with this project nothing was done to the attackers, if this had been a breach this information could assist law enforcement in finding those responsible.
Case Study 2 – Sophos
Beginning in 2018, cybersecurity company Sophos faced attacks by Chinese-backed groups exploiting zero-day vulnerabilities. Over the years, attackers employed custom rootkits, Trojanized Java files, and privilege escalation techniques to bypass Sophos’ security features. In 2020, Sophos’ threat-hunting team found devices under control of the hackers and rather than isolate or remove the attackers decided to use those compromised devices into honeypots, deploying targeted implants to monitor the attackers’ activities. This approach allowed Sophos to uncover a previously unknown remote code execution exploit, observe attackers’ efforts to bypass security patches, and ultimately, with the help of the Netherlands’ National Cyber Security Centre, seize the attackers’ command-and-control servers.
Conclusion
The more we do to protect our networks, the harder threat actors work to find ways to circumvent our defenses. Understanding that we cannot know every tool and technique that may be used against us, it is important that we leverage every resource possible to aid in our security. Here at DefendEdge we use honeypots as one of many valuable tools to enhance our client’s security fabric. Products like FortiDeceptor play a critical role in our ability to divert attackers from production systems, provide early detection of threats targeting our clients’ systems, while also providing insights into attackers’ tactics. These insights allow us to adjust security features to combat emerging threats as we Defend the Edge for our clients’ networks.
References
Rapid7. “Honeypots: Definitions, Types, and Benefits.” Rapid7, https://www.rapid7.com/fundamentals/honeypots/. Accessed 2-3 Nov. 2024.
Newman, Lily Hay. “A Hacker Trapped a Hacker in a Pot of Honey.” Wired, 8 Sept. 2020, https://www.wired.com/story/hacker-honeypot-go-secure/. Accessed 2-3 Nov. 2024.
Goodin, Dan. “Sophos Used Custom Implants to Surveil Chinese Hackers Targeting Firewall Zero-Days.” SecurityWeek, 22 Mar. 2023, https://www.securityweek.com/sophos-used-custom-implants-to-surveil-chinese-hackers-targeting-firewall-zero-days/. Accessed 2-3 Nov. 2024.
The New York Times. “This Time, the I.R.A. Comes Close to Thatcher.” The New York Times, 14 Oct. 1984, https://www.nytimes.com/1984/10/14/weekinreview/this-time-the-ira-comes-close-to-thatcher.html. Accessed 2-3 Nov. 2024.