Last month, Alert Logic published a report, which was based around the deployment of honeypots within public cloud infrastructures so as to be able to attack types and frequencies as well as geographical variation. This got me to wondering whether those outside of the IT security space could utilise honeypots in the cloud to their advantage, and in this advice column I will be exploring the options.
What is a honeypot?
Simply put, a honeypot is any security system whose value is wrapped around it being scanned, probed, attacked and even compromised. It's the apparent antithesis of accepted secure strategy, yet is an increasingly common approach to intrusion detection and attack information gathering. A 'production' honeypot is used primarily to act as an intrusion detection and alarm system, while a research honeypot can be thought of (as the name suggests) as an attacker technique and tools discovery resource. Both have their value, in the right setting. Which begs the question, is the cloud such a setting?
What are the advantages of using cloud-based honeypots?
Stephen Coty, chief security evangelist at Alert Logic, certainly believes so. He told me that "cloud-based honeypots give researchers the ability to research and analyse attacks that hit everyday customers," adding that "having honeypots allows a researcher to translate the IP addresses and malware being used into security content that can protect an average cloud environment."
So, if attackers are attempting to infiltrate specific targets, they will conduct a domain search with IP addresses space that is owned by their target. Once those IP addresses have been identified, they will then conduct a ping sweep and vulnerability scan to find a weakness in the network design or vulnerabilities in software that can be exploited. It's obvious but true; bad guys go after the weakest points the most often.
"The honeypot on that IP space should be the weakest link," Coty explains. "They will attack that environment first." You can then use the IP addresses collected to put a block on firewalls, and when legitimate infrastructure is attacked the firewall will therefore block the traffic at the edge.
As Dr Kevin Curran who is senior member of the IEEE and a senior lecturer in Computer Science at the University of Ulster, puts it: "The advantages of using a cloud based honeypot on a cloud system is similar to traditional honeypots in that it should be able to vet whether a cloud system has been compromised or attempts were made to do so."
Ultimately, the honeypot can simply sit and log all traffic coming into the cloud site; and because it's only used for this singular purpose pretty much any activity should be treated as immediately suspicious. "Honeypots can serve to make threats more visible and act as an early alarm system," Curran says, which gives a cloud company a more proactive approach to security rather than reactive.
Dr David Chismon, a senior researcher for MWR InfoSecurity, also points out that because of the sheer volume of legitimate traffic within a cloud service using a honeypot can be a good filter for shifting the balance of false positives to genuine alerts in the right direction.
Should you be deploying honeypots then?
Chismon is clear that any organisation with either external assets/domains or cloud services should be deploying cloud-based honeypots. However, this comes with an important disclaimer that "honeypots should be deployed by security monitoring/SOC teams in liaison with IT staff."
The IT staff may be required to provision the honeypots, but the actual design should be led by the security teams who will be monitoring for malicious activity. Curran agrees that any organisation dealing with sensitive data in the cloud should deploy honeypots, and adds that they will also need skilled network administrators to monitor the logs and react to the data. So are there any best practise tips when it comes to actual deployment? Stephen Coty says that it boils down to them being deployed quickly and efficiently.
"The challenges I have run into are centralized management, monitoring uptime and log collection. There are some great open source tools that have been developed to assist with the monitoring and log collection of your honeypots. There are a few that actually will give you a global heat map that shows the source IP addresses that are attacking your honeypot network by country, region or city," he says.
Curran adds that it obviously depends upon the cloud platform itself. "The ideal honeypot for Amazon EC2 will differ from Microsoft's Azure or IBM's cloud," Curran advises. "In some ways, the traditional honeypots are not ideal as they tend to mirror the more traditional desktop and server operating systems while clouds are more a collection of services on a VM."
They are, however, most certainly best deployed where appropriate security professionals are also monitoring and analysing at all times. Curran insists that while there is software that can be used to monitor the honeypot "the supplementary use of human interaction gives that extra layer of security and the professional may identify a potential or harmful attack that had never been seen before and hence monitoring software would have no knowledge."
One of the best bits of best practise advice is to customise from the get go. Honeypot technology is open source and so the bad guys will be very familiar with default settings and will monitor for these early indications of a trap. Customising your honeypot makes it much harder for them to detect.
Are there any risks associated with cloud honeypots?
According to Amichai Shulman, CTO of security company Imperva, the main risk is uncertainty. "Like other cloud services, one is dependent on the provider for many security aspects," he says. "You may think that the honeypot is separate from production servers, but you cannot be sure."
Indeed, unknown vulnerabilities in the cloud infrastructure could potentially cause compromise of your production servers. Then, as AVG's CTO Yuval Ben Itzhak reminds us, you also have to be careful when accessing the honeypot from your own network as "hackers may just waiting for this connection to penetrate your network, like a thief waiting for your door to be opened."
The biggest risk is, perhaps, not choosing the right cloud partner to work with in the first place as James Lyne, head of security research at Sophos points out.
"Deploying honeypots in the cloud can involve some interesting challenges, for example many providers will not allow you to intentionally expose systems with vulnerabilities or will shut them down in the event they detect an attack - which is exactly when you want the system running."
Equally, exposing a system intentionally in the cloud gives an attacker a degree of access to a shared infrastructure which may have other people systems or data 'nearby' through so-called side-channel attacks. "You need to select providers carefully and be very cautious with cloud honeypots," Lyn warns.
Indeed, the legal risk is probably as great as any technical one and should be ignored at your peril. "Deliberately deploying a honeypot in the cloud without conforming to your supplier's AUP may incur the wrath of your cloud provider," insists Thomas Owen who is Memset's security manager. He adds: "Honeypots are designed to be attacked and can simulate a deep compromise, so you've just painted a target on your hosting provider's back."
Exposing honeypots that can be linked back to your organisation also elevates your visibility to the hacker community. Whilst this will have little impact on the bottom-feeder background noise level automated or shotgun attacks, and on those state-level attackers that may go after you regardless, a honeypot can have the effect of stirring up the mid-level hacker community. "Much in the same way that a public claim to be 'unhackabl' is an ill-considered red flag to a bull," Owen sagely concludes. "Honeypots can sometimes have a similar impact."
