Forget What You Read In “Winnie The Pooh”: The Goal Of A Honeypot Isn’t To Get The Adversary Stuck In A Tree
Deception Technologies Operate By Identifying Business Use Case Violations
Deception technology comes in many different varieties, but foundational to them all is the creation of an asset that has no legitimate business use. As this asset has no legitimate business use case, any interaction with it is necessarily a business use case violation.
“But wait,” you say, “some deception vendors create fake files or even add credentials to the lsass.exe process; it’s not just systems!” Correct, but I said “assets,” which is anything that has value to an organization, ranging from data to people and property.
The False Negative Problem
Unfortunately, because we’re not dealing with legitimate assets, there’s also a danger that an adversary will accomplish their objectives without being detected . . . or worse, they get the boot and come back smarter. Many vendors try to solve this problem with scale and are unabashed in telling you the problem is you don’t have enough lures. This is a real honey of a proposition — if the product fails to detect an adversary (the false negative problem), it’s because you didn’t spend enough money. Sweet!
Don’t Sweat The Lateral Movement Potential With Honeypots
You don’t make honeypots accessible from the warzone, or they would be noisy indicators of attack, not compromise. Since you’re always under attack, what value would that be? Understanding this, if an adversary is interacting with a honeypot/lure, they are already in your infrastructure, so the threat model of them using that versus any other system on that network segment for lateral movement is the same.
Success Is Purely Circumstantial, So What Is Your ROI?
These honeypots/lures/whatever aren’t legitimate assets (by definition), so any detection is circumstantial. Keep this in mind the next time you hear someone tell you about the time an adversary made a mistake in their environment and was detected. That said, also realize that any adversary who is unfamiliar with your environment is going to poke around to find anything they can use. What is the likelihood they interact with your lure? This is extremely hard to quantify, so the best way to maximize return is by minimizing the cost of your investment.
The Best Deception Capabilities Combine Low Licensing Costs With Low Management Overhead
Security has an innovation problem in that vendors tend to innovate by adding complexity to a solution. Honeypots are valuable for detecting an intrusion and understanding an adversary. Unfortunately, many deception vendors are selling overengineered solutions that attempt to solve all kinds of perceived problems with honeypots — which naturally increases the cost of maintenance while lowering the ROI and core benefit. This is why the deception space will never take off as a standalone capability.
In practice, the best way to acquire deception capabilities is integrated as a feature into some other product, which minimizes both price and administrative pressure — or to go with a vendor such as Thinkst, whose Canary product is within your signing authority and takes about 5 minutes to set up before you can completely forget about it.[i]
[i] Thinkst is not a client, and this should not be perceived as an endorsement aside from recognizing that it has a unique offering in the market.