Honeypots are machines whose only purpose is to entrap attackers who scan or even hack into them. Honeypots are very powerful for detecting incidents because every interaction with them is illegitimate by definition: honeypots do not host legitimate data or services, so there is no reason for a regular user to interact with them.
However, honeypots come with one major drawback: a great deal of security professionals have told me that they built a honeypot, played around with it, and eventually abandoned it because the return on their time investment was too small. How do you know that it's functioning? How do you manage the whitelisting of legitimate scanners? What about periodic updates and configuration changes?
Even though honeypots have been around for years, there is nothing shocking about this challenge because the security software market has been embarrassingly bad at enabling security pros to take advantage of developments from the security research community. A honeypot alone would not justify a hefty price tag, so most security vendors opt not to create one.
Earlier this year, the UserInsight team looked at a few different attacker behaviors and decided that they would be extremely easy to detect if only we had a honeypot in place. So... we built one. Here's how easy it is to set up and maintain UserInsight honeypots:
- Every UserInsight customer can install one in a couple minutes at no additional cost
- You want to deploy multiple honeypots so that you can brag to your friends about your honeynet? Go to town.
- Some customers install them in the DMZ; some deploy them in the corporate environment; some in both. It doesn't matter. As long as the honeypot can connect to one of your UserInsight collectors for communication, you can put them anywhere you desire.
- After deploying a pre-installed virtual machine (OVA format), UserInsight will maintain your honeypot(s). That's right. Your time and effort investment is mostly covered by clicking on the button you see here.
From all feedback I have received thus far, we managed to address the biggest continuous challenge, as well: central management. Close an incident from the UserInsight console to avoid having to access each individual honeypot for whitelisting and configuration changes:
Learn more about honeypots and honeyusers in UserInsight here.
In case you missed it, this is included in every UserInsight POC. Set it up. Learn how your vulnerability scanner behaves. Whitelist it. Shock your boss by finding everyone else that scans the network.
Honeypots are not just for experimentation anymore. Watch how easy it is to get your configured in this video. If you'd like to start a conversation or are thinking of trying UserInsight, please give us a call or fill in our Contact Us form.