ENISA says digital traps should be used more widely across Europe
Governments have been urged by an EU agency to use “honeypots” to lure in hackers to gain a better understanding of what nefarious activity they’re involved in and how to better secure their data.
Honeypots are traps, consisting of fake resources, such as an application or some seemingly important data. By tagging those resources, companies can track attackers to see what part of the network they are exploiting and what malware they are pushing out. This shows up weaknesses that can then be patched.
The EU cyber security Agency ENISA has advised that Computer Emergency Response Teams (CERTs) of national governments could benefit greatly by wider adoption of such honeypots. In December 2011, ENISA found usage of these traps was “not as widespread as might be expected”.
Honeypots for hackers
“Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT’s constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics,” said executive director of ENISA, Professor Udo Helmbrecht.
“Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies’ assets.”
A host of CERTs in Europe already actively use honeypots. The Swedish National CERT even goes so far as to provide visualisation on the latest attacks detected by its honeypot on its public website. The graph below shows the latest data.
As part of its report, ENISA tested 30 different honeypot technologies, all of which were open source solutions, as well as giving advice on deployment.
ENISA noted there are not many commercial solutions available right now, although TechWeekEurope met one of the hottest new players on the market, CrowdStrike, last week.
There are various kinds of honeypots, some of which sit on servers, others on clients. The server versions effectively act as a fake server, whilst “honeyclients” look at how infected servers affect clients, such as where any how drive-by downloads work. Honeypots can also use real resources as a lure, or fake ones, or security teams can mix the two.
ENISA and others warned about the potential dangers of honeypot use, given that companies are essentially attracting attackers. “Companies need to use them with care,” said Brian Honan, founder of the Irish Reporting and Information Security Service, Ireland’s first CERT.
“As honeypots by their nature are set up to attract attackers you need to be careful that if the honeypot is attacked and breached that it cannot be used by the attacker to attack other systems.
“You also need to be careful that your honeypot is set up in such a way that it does not ‘give itself away’ to the attacker as they can then avoid it and thereby undermining one of your alerting mechanisms.”
US-based CrowdStrike even proposes using information from honeypots to “disrupt” attackers’ infrastructure. That could mean it will hack back, although it will not be drawn into saying whether it will. CrowdStrike only says it won’t break the law.
“This topic of hacking back is highly controversial also because in particular cases honeypots do not necessarily know how to distinguish between legitimate traffic and malicious traffic,” an ENISA spokesperson told TechWeekEurope.
“Each country has it’s own data protection laws, information system abuse laws and other types of laws in this area. The counter-offensive approach would require prior to any action a good legal advisor.”
What do you know about Internet security? Find out with our quiz!