Honeypots Versus Threat Intelligence

When faced with daily reports of security breaches in global entities like SWIFT and Fortune 500 companies, and small enterprises being held hostage with ransomware, it’s understandable that finding and buying the ‘Next Big Thing’ in security is paramount on your IT security wishlist. However, before investing resources and funds in the next silver bullet to combat hackers, consider which ones get you the most bang for your buck.

Take global threat intelligence, for example. It’s all the rage, and there are certainly good reasons for the hype. It’s an excellent resource to identify known bad actors and attack vectors; it provides actionable information that defenders can use. But it’s global and not necessarily local. Do you really need to know bad actors and attack methods prevalent in Eastern Europe or Asia when you’re trying to protect your local Midwest network? Being able to attribute attacker locations from China isn’t especially meaningful for a defender. It’s the attack method and the target of the attack (an inside resource) that matters to a defender. Of course, the idea is that you examine local patterns and compare them to patterns available in the global database. However, this requires that large amounts of information are extracted from active systems and evaluated to identify possible matches, producing a relative low signal for a very high noise.

But if you installed a honeynet on your network and obtained intelligence locally, this would be a far more efficient and cost effective approach. Honeynets are set up of multiple honeypots strategically scattered throughout the network to lure bad actors who may be inside or outside the network. You could still compare activity at the honeypot to global threat intelligence data, but it requires less sifting through voluminous data from active systems. Once configured, all activity against a honeypot is malicious; the security team can gather intelligence about the attacker’s origin point and attack vector. Such data informs defense, and if necessary, evidence for law enforcement.

While the honeynet approach is not an especially new technique, configuring and maintaining them has been out of reach for the resource strapped IT team. However, new solutions on the market can make this approach feasible for the small and mid-market enterprise. Since only an attacker or an insider threat is detected in the honeypot scenario, the “signal-to-noise” is much higher than in traditional detection where data analysis to separate real security events from false positives can be profuse and time consuming.

By dangling lures both inside and outside your network, bad actors self identify – that’s the threat you need to address right now, not the global one attacking other networks. Add in behavioral analysis and correlation and you’ll have the best security tools that are right for your organization.