Cyber security according to Winnie the Pooh: new report by ENISA on ‘digital trap’ honeypots creates a buzz
November 2012 by ENISA
The EU ‘cyber security’ Agency ENISA is launching an in-depth study on 30 different ‘digital traps’ or honeypots that can be used by Computer Emergency Response Teams (CERT)s and National/Government CERTs to proactively detect cyber-attacks. The study reveals barriers to understanding basic honeypot concepts and presents recommendations on which honeypot to use.
An increasing number of complex cyber-attacks demand better early warning detection capabilities for CERTs. Honeypots are, simplified, traps with the sole task of luring in attackers by mimicking a real computing resource (e.g. a service, application, system, or data). Any entity connecting to a honeypot is deemed suspicious, and all activity is monitored to detect malicious activity.
This study is a follow-up to a recent ENISA report on Proactive Detection of Network Security Incidents. The previous report concluded that while honeypots were recognised by CERTs as providing crucial insight into hacker behaviour, their usage to detect and investigate attacks was still not as widespread as might be expected. This implied barriers to their deployment.
This new study presents practical deployment strategies and critical issues for CERTs. In total, 30 honeypots of different categories were tested and evaluated. Goal: to offer insight into which open source solutions and honeypot technology are best for deployment and usage. Since there is no silver bullet solution, this new study has identified some shortcomings and deployment barriers for honeypots: the difficulty of usage, poor documentation, lack of software stability and developer support, little standardisation, and a requirement for highly skilled people, as well as problems in understanding basic honeypot concepts. The study also presents a classification and explores the future of honeypots.
The Executive Director of ENISA Professor Udo Helmbrecht commented: “Honeypots offer a powerful tool for CERTs to gather threat intelligence without any impact on the production infrastructure. Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT’s constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics. Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies’ assets.“
For full report: www.enisa.europa.eu/activiti...