To Honey or not to Honey

A few days ago, I was reading an article about deception techniques like honeypots. Now, as you may know, this is a subject I am interested in. Unfortunately, I did not bookmark the link, so I forgot the author and the title; what I did not forget was their core arguments:

  • Honeypots are bad because they will draw the bad guys in.
  • Once they notice it is a honeypot they will be pissed off and haxx0r your site to the ground.
  • Only 0.01% of companies need honeystuff. If you follow best practices and have security in place, there is no need for a honeypot.

When rephrasing those arguments, I wasn't exaggerating a lot. This person sure felt that way, and I found it quite interesting because their position was/is so different from mine (and I am a big fan of diversity in opinions and realities).

So, let's have a closer look..

"Honeypots are bad because they will draw the bad guys in."

First and foremost, I don't know of a valid reason (except getting management attention) why one would place honeypots outside one's basic protection mechanisms. Sure, you will gather data, but that kind of data will be really close to worthless if you're not studying automated attacks. In other words, if you place honeystuff within the confines of your DMZ or otherwise protected zones, you will catch pivoting attackers who are already in your network. You're not drawing them in, you're detecting them - a big difference.

Furthermore, what draws the "bad guys" in 2017 is that you're connected to the internet. That's it. That's usually all that is needed to get attacked. True, those are automated attacks. Once an automated attack finds something that could potentially exploited, some human will take over and try to get a foothold in your network. Once they are in, deception tech and honeystuff is one of many possibilities to give you additional info about what's going on.

"Once they notice it is a honeypot they will be pissed off and haxx0r your site to the ground. "

If your enterprise network can't withstand one pissed off person, then there might be some more work to be done with it. Once an attacker notices they fell into a trap and that they touched honeystuff, there are multiple possible reactions. Depending on the hacker’s confidence and character, they might indeed be pissed off and continue to penetrate your defenses. Quite the same what they might have done if there was no honeypot at all. What have you lost? Nothing? What have you gained? Intel.
It's up to you, of course, but I think having the same outcome plus valuable info is better than having no idea who is attacking and how they do it. So in my opinion that point is invalid as well.

"Only 0.01% of companies need honeystuff. If you follow best practices and have security in place, there is no need for a honeypot."

I do love ad hoc statistics.
"47% prefer the color blue to listening to a glass milk being poured."
"Men are more likely to accidentally drive into a 1972 Volkswagen beetle if there is a smell of onions."
"Only 0.01% of companies need honeystuff."

... well, you see where I am going with this. To be fair, I am not sure if anyone "needs" honeystuff; it depends on your network and how you go on about protecting them. Do you "need" a smartphone? It sure comes in handy at times and is convenient. Could you survive without it? Probably. Could your company survive without honeystuff? Most likely. Still, it makes things easier and can be funny as well as informative.

The second part of that argument is especially interesting. The author -whose name I genuinely forgot, if you know which article I am talking about, please let me know- stated that companies who secure their perimeter and follow all the security practices would not gain any new insights from honeystuff. I am not sure whether this thought provides a valid conclusion.

It sounds to me like "If your network is secure, you do not need detection capabilities - because nobody can get in, so you don't need to detect anything.". I disagree. If it was that easy, network breaches wouldn't happen. I think some attackers are quite creative and find ways to attack your network which nobody has thought about. I also think that enough users will click on a link in a phishing email and allow the attacker to establish a base in your network.

It's the same reason why one would have an IDS or why there are motion sensor alarms in buildings. Of course, there are doors. Of course, they are locked. There is a sign that says "No unauthorized entry". So, everything is in place, but still you have those alarms in case someone circumvents your other protection mechanisms.

All being said, it is of course a decision everyone has to make for themselves. Personally, I'd rather know I am attacked than giving anyone clever enough to penetrate my defenses free movement within my network.

Even if it pisses them off.