How VM Introspection Transforms Honeynets into Lean, Mean, APT-fighting Machines
By Nenad Kreculj
Honeynets are an often-overlooked means of defense in today's cybersecurity landscape. The term conjures images of a simpler time when script kiddies holed-up in mom and dad's basement represented the biggest security threat organizations faced online. Honeynets of that bygone era were difficult to set up and equally complicated to maintain.
Beyond operational complexity, honeynets of old weren't very effective. The idea of a honeynet is to dupe an attacker into thinking they've breached a working production asset. However, few were fooled by early versions of these traps; some even managed to infiltrate older honeynets and turn them into launch pads for attack staging. The modest forensics payoff for this potential liability was of limited interest because there was little to no actionable intelligence collected.
Today's attackers are highly focused and much more determined than the hapless hackers of yesteryear. They're not motivated by mindless pranks or feats of technical know-how. Today's attackers are after intellectual property, personally identifiable information (PII), and financial data. Many are employed by organized crime syndicates and some are even sponsored by nation-states. As such, they tend to be skillful, well organized, motivated, and patient. The most dangerous ones plan their activity to help them stay in the network for extended periods of time, quietly siphoning data, just like a parasite.
What could possibly be gained by implementing a defensive technology that was minimally effective against yesterday's much less sophisticated cyberattackers in today's war against cybercriminals? Quite a bit, actually. As it turns out, just as the modern cyberattacker has come a long way since the days of script kiddies, so, too, has the honeynet evolved. In fact, today's honeynets are easily capable of fooling the cyberattackers. Production assets can be replicated right down to their gold disk images and security protection schemes. Applied virtualization technology has greatly simplified the set-up process and on-going maintenance. Even more important, proper positioning -- in relation to the hypervisor -- cloaks the entire monitoring process and prevents it from being manipulated or obstructed.
The actionable intelligence gained through this evolution in cyberdefensive technology makes honeynets worth their collective weight in gold. Next-gen honeynets are a critical component of any advanced persistent threat (APT) strategy, providing powerful, real-time intelligence about activities taking place in your own network to deliver a level of situational awareness within your organization that was once impossible.
Monitoring processes, registry key modifications, and file and network activity from the hypervisor is something the architects of earlier honeynet technology only dreamed about. Today's most innovative honeynets can easily see network traffic in its decrypted state. This enables admins to sit back and watch attacks play out in real-time under a microscope, while containing these threats to a tightly controlled environment and preventing any possibility of attackers using the honeynet as a launching pad for further attack. Just imagine knowing what tools your attackers are using, what artifacts they're leaving behind, and how they're achieving persistence. Those who make next-generation honeynets a part of their layered defense gain an unobstructed view of attack behavior and data, which reveals all of these things and more.
In the right hands, a honeynet can be a powerful weapon in the war against APTs. If you're contemplating adding advanced honeynets to your organization's arsenal, here are five things to consider.
Consideration #1: Education is critical
Educate your organization and IT stakeholders. Old school thinking might lead some within your ranks to believe honeynets are inefficient, complex, and provide only rudimentary information. Explain the tremendous upside to modern honeynets and the actionable intelligence they produce. Help them understand the danger of an attacker's lateral movement, roaming through the network from host to host.
Consideration #2: Location, location, location
Place honeynets in close proximity to your key assets and authentication systems. For example, if you're a software company, place your honeynet in the network segment where the source code repository servers are. Adversaries like to poke around authentication servers such as Active Directory (AD), which makes the network segments where your AD server resides an ideal spot. Also, consider network segments where IT and executive workstations can be found. These are tempting areas for would-be attackers.
Consideration #3: The integration principle
Integrate honeynets with your security information and event management (SIEM) system so that real-time alerts can be processed efficiently, utilizing existing tools and workflows. Honeynets must be able to integrate into the existing security operations center (SOC) workflow.
Consideration #4: Keep costs in check using virtualization
Apply virtual honeynets to save time and money. Virtualization also makes it easy to create new honeynets from a well-defined standard such as a gold disk.
Consideration #5: Sit back and learn
Let the honeynet do the work of providing information about adversarial activity while you monitor your environment and take notes. Configure your honeynet to collect and provide useful information about attacks that impact the honeynet host -- from process activity to file system, I/O communication and even registry changes.
A Final Word
In the world of cybersecurity, the idea of stopping the barbarians at the gate is no longer tenable. APTs will get into your system -- it's only a mater of time. That doesn't mean you don't still need a strong gate, it just means new layers of security must be added to the equation that address the inevitability of a breach.
In the war against APTs, actionable intelligence is the most significant layer you can add to your defenses, so while your competitors are trying in vain to outrun the proverbial bear (or at least keep it outside the tent), you may want to consider an older approach to cyberdefense that has only recently been perfected: lure the bear in with a honeynet instead.
Nenad Kreculj is the director of product management at CounterTack. You can contact the author at firstname.lastname@example.org.