Using Honey To Attract B-Level Hackers

Cyber-attacks against government agencies continue to rise. According to the Federal Computer Incident Response Center, the number of cyber-security incidents related to systems at federal agencies and departments has grown exponentially in the past three years.

The attacks are also becoming more diverse and complex. One of the more effective recent tools for combatting the attacks is a decoy server, also known as a honeypot.

Named for the primitive, yet effective, way of attracting bees to a single location, honeypots lure cyber-attackers away from the true server and network activity and promote activity on strategically placed dummy servers. The idea of a working honeypot is not new, but much like the attacks they are designed to avoid, honeypots have come a long way.

The first honeypots were primarily research tools — usually off-the-shelf or stock systems placed in vulnerable locations and left as victims. Security administrators then waited for hackers to attack the “sacrificial lambs” in order to study tactics, tools and behavior. The honeypots were placed outside the firewall and offered hackers the ability to hack into an emulated operating system. These honeypots, also known as low-interaction honeypots, were relatively easy to deploy and maintain, and minimal risk was involved since there was never any real access to a true operating system.

Over time, administrators have developed what are referred to as high-interaction honeypots. With newer technologies, administrators are now involving real operating systems and applications. The increased risk associated with opening up real systems to cyber-attackers also provides increased value gained from monitoring the honeypot activity. Administrators are unable to predict or control a cyber-attacker’s activity, but they are able to track everything that is happening during an attack. These honeypots are more complex to deploy, and additional technologies must be implemented to prevent cyber-attackers from using them as launching pads to attack other systems.

A honeypot is not a security panacea. It would be foolhardy for a government agency to abandon other security efforts and rely solely on a honeypot to protect important government information. However, when used in a complementary fashion with firewalls and intrusion detection systems (IDSs) for network- and host-based intrusion protection, honeypots become yet another piece of armor that cyber-attackers need to overcome.

Honeypots tend to waste a cyber-attacker’s time. Since the hacker has unknowingly accessed a decoy server, he will continue to go about the attack as usual without knowing he is wasting time. However, monitoring and reviewing the attack is time well spent for an administrator, yielding important information regarding tactics and behavior.

Strategically placed honeypots give hackers a false idea of what security measures exist for an agency. While they may have successfully accessed a honeypot, they still have not overcome all of an agency’s security measures to perform a damaging attack.

With more than 3 million separate cyber-security incidents related to systems at federal agencies this year alone, cyber-attackers are finding flaws in security measures all over the country. By placing honeypots throughout an agency’s network, cyber-attackers will have a better chance of attacking the wrong server.

John Harrison is group product manager at Symantec, where he develops the company’s network-based intrusion protection solutions.