It started with an innocent tweet that turned into an interesting conversation and shameless plug (marketing campaign??) at the same time.
"Its time to start accepting that your NSM infrastructure is incomplete if you arent leveraging honeypots for detection. #DFIR"
Since I follow Chris closely (as should all of you) I immediately noticed this tweet and responded with my heart.
You can follow the conversation, if you find it, but I’ll summarize it in my words. Chris feels that organizations will benefit greatly from the deployment and monitoring of honeypots throughout the organization’s internal network. To outline this thought process, he is presenting his thoughts at BSide Augusta in his presentation “Using Honeypots for Network Security Monitoring.” He will also be writing about the topic specifically in a follow-on book to his Applied Network Security Monitoring series. My understanding is that he will leverage the thought process that organization’s security teams are overloaded with information from Network Security Monitoring (NSM) events. Honeypots, if implemented correctly and securely, will provide a focused feed of alerts that can be quickly tuned to weed out false positives and provide timely and useful attack data.
My “No” answer is not disputing the fact that the data produced by properly implemented and tuned honeypots, honey accounts, and honey services (canaries if you like) are extremely useful within an organization. My argument is based on the thought process that most organizations will need to prioritize these efforts with other security controls and NSM efforts. Let’s face it, there are very few organizations out there that do NSM well already. Tacking on another security control that needs to be designed, deployed, tuned, and maintained before mastering the remainder of your NSM effort is wasted effort. Most security staff in organizations are pulling double duty implementing, maintaining, and monitoring security controls and ensuring compliance. Since security staff in an organization are usually the most motivated and knowledgeable personnel they are often pulling triple duty providing administrative advice and assistance as well.
So, I still say “No” to Chris' original statement. But I do say “Yes” to Chris' thought process and forward thinking security architecture approach. Honeypots, honey accounts, and honey services have an excellent potential for organizations with mature security and administrative staff. For those organizations that are still struggling with maturing their security program I would rather see Chris outline a logical progression of an security program (not just NSM) that, eventually, includes these technologies. This brings to mind Robert M. Lee’s Sliding Scale of Security which outlines the benefits of developing good architecture first and then determining the security controls and solutions that most effectively address specific threats for that specific organization.
In summary, I encourage Chris to keep promoting this topic and progressing these techniques. I hope he realizes that organizations need to understand where these controls fit into the overall security program. I am certain that Chris will be able to demonstrate how implementing honeypots, honey accounts, and honey services earlier in the process will help weed out false positive alerts that dog a security team. I am also hoping that he helps them understand that full monitoring and alerting will always be a necessity for administration and incident response. Honey-based techniques are not a shortcut to reduce the other controls necessary for an effective security program.
All of that said, do not forget that Chris has an excellent charity, Rural Technology Fund, that benefits from all his hard work. It is an impressive effort and I strongly recommend that you consider how you can help him.
Go forth and do good things,
Don C. Weber