ENISA Urges Governments to Use ‘Honeypots’ to Trap Cybercriminals, Admits They Raise Many Issues
"Honeypots” -- computing resources that act as “digital traps” to lure cyberattackers -- are a great way for computer emergency readiness teams (CERTs) to gain threat intelligence without affecting production infrastructure, but they face significant technical, legal and ethical barriers, said the European Network and Information Security Agency in a report on proactive detection of security incidents. It reviewed 30 existing honeypot and related technologies, focusing on open-source solutions, to advise CERTs which are best for deployment and use. Despite the various issues the technologies raise, CERTs should explore their use, the agency said. Meanwhile, the European Commission said it’s funding several projects aimed at addressing major cybersecurity issues.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Digital traps can be any type of computing resource -- an application, service, system or just a piece of information or data, the report (http://xrl.us/bn3kkw) said. “The key assumption is that any entity connecting to or attempting to use this resource in any way is by definition suspicious,” it said. All activity between a honeypot and any entity, assumed to be an adversary, interacting with it is monitored and analyzed to detect and confirm unauthorized usage attempts such as malicious or abusive behavior, it said. A honeypot should mimic a production resource as closely as possible, but no legitimate computer traffic should reach the honeypot, it said. The traps can be used for things such as monitoring Internet background noise (scanning activity of worms or bots), learning about compromised nodes or studying hacker behavior, it said.
Honeypots allow many kinds of cyberattacks to be detected and examined, ENISA said. But a 2011 survey showed that trap take-up in the CERT community was “not as popular as might be expected.” Out of 16 categories of tools, server-side honeypots (which use network services such as Secure Shell to listen on their standard ports and monitor any connections initiated by remote clients) came seventh, while client-side traps (which use a set of client applications such as a Web browser to connect to remote services and monitor all generated activity) came last in CERT popularity, it said. Many CERTs said they've used honeypots before but dropped them, although many also said they plan to use them in the future.
The survey implied there are barriers to mass use of honeypots despite their effectiveness, ENISA said. Many of the open-source honeypots are “hobby projects” which lack support or any community willing to sustain their development. Many began as graduate school or Google Summer of Code projects whose authors lost interest once they completed their thesis or moved on, it said. Many open-source technologies are hard to use. There’s also a lack of support tools to facilitate analysis and interpretation of collected data, making it tough to interpret the attacks a honeypot collects.
The collected data aren’t standardized, the report said. High-interaction honeypots (that use real resources as opposed to low-interaction tools that mimic their resources) are difficult to maintain, it said. Digital traps don’t monitor a network’s normal traffic, which can be an advantage in some ways, such as having potentially few false positives and fewer privacy issues, but can also mean that the technology doesn’t detect attacks aimed at production-level services. Client-side honeypots are especially difficult to use because they have to handle many complex, fast-changing technologies, so they're more unstable and more prone to missing cyberattacks than server-side counterparts.
There are other drawbacks, ENISA said. Security vendors haven’t generally embraced the idea of selling commercial honeypots, possibly because such solutions aren’t seen as essential for an organization since they don’t monitor or block production-level traffic, it said. In addition, many of the existing open-source honeypots are outdated and hard to install on modern systems. Moreover, many national and governmental CERTs don’t own or directly control a network where they can launch honeypots, it said. And there are potential legal and ethical problems, such as what happens if a honeypot is used to successfully attack another system.
The report made several recommendations to CERTs: (1) Explore the use of honeypots to boost early warning self-detection capabilities. (2) Plan how to handle any vulnerabilities or incidents within their networks discovered by use of a honeypot. (3) Cooperate on large-scale, interconnected sensor networks to collect threat intelligence from multiple geographic areas. (4) Take part in the development of honeypots and give feedback to developers.
As cyberincidents become more frequent and targeted, honeypots will face increasing challenges in their detection because of the difficulty of placing them in the path of the assaults, ENISA said. New platforms and attacks will spur new solutions, it said. There will be more honeypot research in several areas, including mobile platforms; IPv6-specific cyberattacks and malware; and social networks, the report said. Another area ripe for study is how to make better sense of all the data collected by honeypots, it said.
The EC is taking concrete steps to tackle cybersecurity risks, it said Monday. From 2007-2013, it will have spent about 350 million euros ($454 million) on cybersecurity, privacy and trust technologies, with 400 million euros earmarked for cybersecurity, privacy and trust technologies in 2013-2020, it said. An additional 450 million euros will go for “secure societies” research that includes aspects of cybersecurity, it said.
The EC is supporting several projects, it said. Experts are looking to develop solutions for predicting threats and vulnerabilities before they occur. Another project is trying to design secure software and systems for the future Internet, while another works on making the so-called Internet of Things more secure, it said. The “Tclouds” project is trying to find a combination of security, privacy and resilience that can be widely applied across cloud services, it said. The EC is also addressing better tools and more robust algorithms for digital signatures, it said.