Why honeypot technology is no longer effective

Author: Mark Parker, Senior Product Manager, iSheriff

There are many different techniques used in network security. Some techniques fit specific situations well and other situations not so well. Some techniques become less effective over time. Often, new and much more effective systems and technologies come in and take their place.

One of these waning technologies is called ‘honeypots’. For years, traditional security companies have used honeypots as the primary method for collecting threat samples. However, an important issue with this approach is that a honeypot does not behave exactly like a real end-user environment because it is generally automated and programmed to behave in a certain way.

Security researchers are likely to miss threats catalysed by user interaction if they are only looking at the subset of data generated by an automated honeypot. The limitations of honeypots also make them only marginally effective in identifying malware threats that target endpoints via the web or email. Any unanticipated user interaction, or attempt to trick the user, may be missed.

Handling today’s threats

The majority of today’s email-borne threats are socially engineered and designed to get around honeypot-based detection systems. These targeted attacks are referred to as ‘spear phishing’. Spear phishing messages are specifically targeted at an organisation, a specific demographic of users, or in some cases, a specific user. These messages are engineered to prompt the user to visit a web page where the user’s machine can be infected through a download or drive-by malware attack.

Spear phishing attacks are often not detected by honeypot-based security tools until a large number of users have been infected. Most spear phishing attacks drive the user to perform an action. Where a honeypot could catch an attachment, or a single malicious link, a machine is ill-equipped to understand the social engineering that goes into most successful attacks.

In some cases it may be as simple as replying with a username and password, but in most cases the attack drives a user to click a web link in the email. In the simplest attacks, the link leads directly to the downloading of a malware file. But with security tools increasing their capabilities, so have attackers. Attackers are using sophisticated socially engineered sites that gain a user’s trust. These sites are then used to get the user to divulge information, or install infected files.

In one example, the spear phishing email looked like an invitation from Human Resources to view a training video. On initial load the site looked like a professional website with training information. Once the user clicked on the video, they were directed to download a browser plug-in to play the video. Instead of a browser plug-in, they received malware designed to infiltrate the system and gather information.

There have been a number of similar attacks using recent news stories as the bait video. A machine-based honeypot lacks the ability interact in the way a human user would, leaving many potential threats undetected until it is too late. In addition, many honeypot detection systems are built in virtual machine environments. The cybercriminals developing today’s malware know this and will often scan for the use of virtual machines. If a virtual environment is detected, the malware will not run there, thus rendering the honeypot ineffective.

New technologies reduce the problems

New technologies are now available that avoid the limitations of honeypots. At many data centres around the world, cloud-based security tools are scanning all potential threats in the cloud in real-time. Our security labs team uses a console that consolidates information from these data centres into a single view. At any given moment our lab researchers could be identifying a zero-day Trojan that originated in Ukraine and a new ransomware variant that first appeared in Canada. This unique approach to collecting global data in real time allows us to identify threats early, usually on day zero.

Cloud security can provide protection for email, web and endpoints. This means that the data analysed by our team is coming directly from the three main malware threat vectors. Best of all, the data being analysed comes from live users. The data analysed contains the clues, traces, and evidence needed to identify an attack, without including information that can identify individual users.

Once a threat is identified, protection measures can be established for all threat vectors. For example, if a spear phishing attack is detected, not only is the email service updated to protect against the threat, but the web and endpoint services are also updated so that the user is protected, even if they receive a fraudulent message, and click or download infected links. Many spear phishing email attacks contain no malware but encourage the end user to click on a link that will load a web page running nefarious code. Threats are largely encountered via a combination of web or email, so the interconnectedness of detection and remediation across vectors and endpoints is extremely important.

Get your head in the clouds

We all know we can’t just sit around and wait for the rats to get stuck in our sticky traps. Constant, multi-layered, proactive monitoring throughout the corporate network and beyond is the order of the day. Traditional security vendors are often not equipped to rapidly assess, identify, and protect against the intricacies of sophisticated multi-vector attacks. Cloud-based security technologies provide constant threat identification and threat protection to deliver real-time, zero day protection.

This article was brought to you be Enex TestLab, content directors for CSO Australia.

Mark D. Parker, Senior Product Manager, iSheriff

Mark Parker has a unique knack for taking very technical concepts and presenting them in a manner that is understandable to a novice. Prior to his role of Senior Product Manager at iSheriff, Parker held senior product strategy and engineering roles at ContentKeeper Technologies, Trustwave and M86 Security.

Join the CSO newsletter!

Error: Please check your email address.

Tags malware attackiSheriffhoneypot technologyhuman resourcesdata centresMark Parkersecurity researcherscybercriminalsphishingmalwareCSO Australiamalware threats

More about ContentKeeper TechnologiesCSOEnex TestLabM86Trustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Parker

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts