"when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near."Sun Tzu, The Art of War (5th century BC).
There has been, for decades, a great deal of focus on the practice of Internet facing cybersecurity. Now, there are substantial resources devoted to aligning findings from those observations to the Mitre ATT&CK™ framework. That's a smart move as a practice. Normalization of terminology and description allows for higher fidelity identification and potential attribution.
The mainstay, stagnant and somewhat traditional relationship associated with cybersecurity analytics is to observe, examine, catalog and then move on to the next encounter. Appropriately, this approach is under scrutiny as a mainline methodology for staunching the bleeding that results from being behind the curve. There's that but here, I'd like to focus on how we can obtain a higher fidelity of initial observations and how that relates to managing risk. By understanding the trajectory of the threat actor and attacks on production systems there is a well heeled method of managing actors in a way where observations are always understood and encouraged so that mitigation is on point. The technique and technology of choice for that should be the Honeypot.
Honeypot endpoints and tokens are not new. For the past 20 years The Honeynet Project has worked with the community of researchers and practitioners to develop techniques and lures to test the vast community of threat actors and threats through the use of deception. But Honeypots have been around since the 1980's. In fact, recently Chris Sanders dropped a very good book on the history and techniques recommended for Intrusion Detection Honeypot implementation and maintenance and techniques.
Honeypots can be a a dream come true for researchers as well as security teams. The amalgamation of techniques, tactics and procedures (TTPs) which are used by threat actors are ever evolving but, the adept team can think ahead and lay the groundwork that can detect and catalog the threat actor and reveal their desires. The use of honeypot techniques can be used to understand external as well as internal threats.
Unlike the predicate for entrapment in a real life policing action, the honeypot is vested, heavily, in the understanding and leveraging of the catalog of TTPs employed in every varying and evolving threat actor engagement. And ultimately intends to reveal mens rea for which a threat actor would be deemed culpable.
When viewed from the perspective of the Cyber Neighborhood Watch, referenced in my previous post regarding transparency, the use of honeypots as a method of exposure of malicious intent provides an added level of bona fides to observations. Those observations should be coordinated with the wider community on a regular basis.
Honeypots started as a method to capture the activity of intruders and, through deception, understand what goals and methods were used by the actor. That's still a worthy pursuit and not only for research but also as a proactive pursuit in the production environment.
Stay aware, stay safe and be crafty to catch evil. Subscribe
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.