In this week’s Whiteboard Wednesday, Dylan Cooper, Security Engineer at Rapid7, discusses the importance of honeypots and how they can be applied to your detection strategy.
Welcome to this week's Whiteboard Wednesday. My name is Dylan Cooper. I'm a security engineer here at Rapid7. The topic today is attacker deception technology: honeypots. A honeypot is a trap, for example, either a server or a system that lives within a network that is designed to either confuse or gather information about attackers. This is important for a couple of reasons. The two main use cases highlighted here are a production or low-interaction honeypot, or a research and high-interaction honeypot. Production honeypots are useful to both fill gaps within your network where your tools may not necessarily have coverage and/or to confuse attackers that may have already been in your network.Show more Show less
A research honeypot either lives in a cluster of networks on your network or on the open internet and is used to gather information about attacker trends, types of malware usage, and vulnerabilities being exploited for a certain period of time. This integrates into the overall detection strategy in a couple of ways. The production or low-interaction usually fall into the category of deception technology. Deception technology is a commercial version of honeypots which can be found for free online. These are deployed either stand-alone or in clusters and, as mentioned earlier, can fill gaps in your network detection strategy but also better inform your incident detection and response strategy.
For research purposes, the trend information can either be boiled down to specifically your use case to see what attacks are being leveraged against your machines or machines that may have similar vulnerabilities or similar software running or as a better way to provide threat intelligence to your security organization that isn't just general IP-based information. That's it for this week's Whiteboard Wednesday. We'll talk to you next week.