Deceptive security: how to catch more flies with honeypots

From governments to industrial manufacturers, organisations across all sectors are experiencing an unprecedented level of cyber-attacks, intrusion attempts and malware.

To stay one step ahead, it’s crucial for cyber security leaders to gain a deep understanding of attackers’ tactics, equipment and methods, without compromising the confidentiality, integrity and availability of their organisation’s systems.

Increasingly, honeypots are becoming a crucial tool in any organisation’s deception technology armoury. Let’s take a closer look at how honeypots work, the role they play in organisations’ overall security infrastructure, and how Airbus Protect is innovating to develop a new generation of deceptive security tools.

What is a honeypot?

In short, a honeypot is a deceptive security tool used to lure attackers towards an artificial information system. Once attackers have been fooled, cyber security teams can gather information about their activities, slow them down, and alert their organisation’s Security Operations Centre (SOC) of a potential incoming attack.

Most importantly, a honeypot provides valuable intelligence that can be used to feed a cycle of continuous cyber security improvement.

How do honeypots work?

When honeypots were first created in the late 90s, they were very simple. Back then, administrators would simply introduce unprotected IT resources into their networks, which would attract attackers like flies to honey! Once attackers arrived, they were blocked and sometimes identified.

Nowadays, the picture is much more complex. Fake assets are scattered across organisations’ various networks, and cyber security teams often deploy a range of digital decoys, traps, lures and “breadcrumbs”. Digital decoys and traps typically take the form of physical or virtual assets that use real licensed operating system software, but are connected on different endpoints of organisations’ networks. On the other hand, “breadcrumbs” and lures are fake files that teams scatter among genuine assets.

When an attacker interacts with a decoy system or file, an alert is triggered for SOC teams. False positives are rare, enabling teams to focus on relevant information, such as attackers’ goals and techniques, rather than losing time on editing filters for Intrusion Detection Systems (IDS) or Endpoint Detection and Response (EDR). Honeypots can also help teams to uncover dangerous zero-day attacks – where hackers exploit a recently discovered vulnerability to quickly enter a system.

How is deceptive security evolving?

Though highly effective, deception technology is expensive and resource intensive to maintain. Honeypots require a dedicated team to manually analyse alerts and maintain deceptive systems – in addition to maintaining their organisation’s regular information systems.

Fortunately, cyber security companies are working on a new generation of deceptive security tools, which enable organisations to reproduce their entire information systems in an isolated environment – all at a relatively low cost. Thanks to AI and machine learning, the maintenance of these hyper-realistic decoy systems will be automated, with bots simulating user activity to lure in attackers.

Next generation deceptive security tools will enable SOC teams to observe attackers over a longer period, increasing the volume and quality of data gathered. What’s more, AI-powered deception technology will ‘learn’ attackers’ habits, automatically improving their capacity to detect potential threats.

In a nutshell, deceptive security enables organisations to change their security stance from reactive to proactive by providing valuable data and serving as an ‘early warning’ system.

To learn more about deceptive security, and find out how we can support your organisation, get in touch.