Honeypots have largely been relegated to use by academia and antivirus vendors because most enterprise IT teams figure they're too expensive to run and could land their companies in legal trouble. But honeypots aren't as scary as all that, according to an expert on the topic who spoke at the InfoSec World Conference & Expo in Orlando Tuesday.
Honeypots -- servers that emulate production systems in hopes of luring hackers and sniffing out new threats -- can cost a lot to run, but most organizations probably don't need expensive ones, said Michael Davis, CEO of consultancy Savid Technologies.
Deploying a honeypot can cost from hundreds to thousands of dollars, but that there are plenty of ways to keep costs down and show upper management that there will be a solid return on investment, said Davis, a member of the Honeynet Project, where he is working Windows-based security.
For one thing, most organizations outside of research institutions don't need a high-interaction honeypot that captures loads of data. He recommended going with a low-interaction honeypot that emulates a few specific services, applications or operating systems and collects more focused data.
These systems don't need to run on pricy hardware either. Davis suggested just picking up a few machines off eBay or craigslist, or in some cases running the honeypot on an existing server.
Open source tools, such as Nepenthes and Honeyd, are also available, though you need to track what can be frequent updates to them.Davis estimated that only about 5 percent of implementations use commercial tools, with companies such as Symantec not finding the business lucrative enough to stay with it. However, that is starting to change, with companies such as Arbor and McAfee offering honeypot services.
The biggest issue in keeping costs down is making sure that a honeypot is easy to manage. An IT shop can get one up and running in less than an hour, but "maintenance is the death off honeypots," Davis said. He urged feeding data from honeypots into existing security information and security event management systems. For companies without such management systems in place, he said: "You've just tripled your workload [in analyzing the data collected by a honeypot]." Existing honeypot tools are fairly useless when it comes to analyzing data, though he said delivering such tools is one goal of the Honeynet Project.
Ensuring a good ROI on a honeypot project requires knowing what sort of data you need.
"The reason honeypots never get used is because your network is big and you don't know what you are trying to collect," Davis said.
The corporation might want to just be aware of trends, whereas individual departments might want to know who is snooping around. Depending on the sort of data you need, you might install the honeypot further inside the firewall, Davis said.
Davis also recommended selling management on honeypots by using them as a quality assurance testbed for your other security systems.
The other cost issues that give IT departments the willies about honeypots are legal ones. But Davis said legal issues are a misconception. "If you're in a corporation, entrapment issues do not apply," he said.
However, you can get in legal trouble if you choose to populate a honeypot server with real customer data given the existence of so many data protection laws, he said.
While Davis said he is a big believer in honeypots, he acknowledged that the technology has a long way to go. For example, honeypots tend to spot common vulnerabilities and aren't sophisticated enough to find zero-day vulnerabilities.
And then there are commonsense issues that need to be addressed upon rollout. Honeypots need to be built to look as much like your real systems as possible, so don't use an Apache server to emulate a Microsoft IIS one and don't set up a fake "under construction" server that looks different from real "under construction" servers on your net, Davis said.
Honeypot users should also exploit honey tokens, such as phony credit card numbers, to determine how data might be leaving the company. Davis compared this to the old hospital trick of planting fake celebrity data in their systems to find out who might be leaking patient information.