Honeypots and Cyber Threat Intelligence
Cyberprotect, in order to constantly strengthen the cyber-security of these customers, must remain proactive on cyber threats. That’s why we invest a lot of our expertise and time in CTI, aka Cyber Threat Intelligence.
The terminology Threat Intelligence is quite new, it would have appeared in the years 2010, before that, it was mainly the States and some organizations that used it, it has democratized at the same time as the increase in the number of major cases of APT. It is actually a discipline that is based on intelligence techniques, meaning the collection, organization and correlation of information related to cyber threats.
The ultimate goal is to profile the attacks. This profiling ideally allows you to understand how to defend yourself but also to be proactive about threats. If we take up Gartner’s challenge again, the threat intelligence is “evidence-based knowledge, including context, mechanisms, indicators, implications and concrete advice, about a new or existing threat or risk to an organization’s assets that can be used to inform decisions about the subject’s response to that threat or danger. »
The CTI is intelligence-based, and for that, we must collect various information, it can be IOCs, attack histories, but also identification signs such as organizations or the use of specific services, techniques, methods. One of the most advanced collect method is based on the use of Honeypots.
Honeypots are based on the “such is taken who thought he was taking” method, in fact, Honeypots are technological solutions used in IT security to voluntarily attract attackers by posing as a normal user.
As a result, a Honeypot will act as bait for system attackers computer systems. A honeypot must be able to offer apparent and known vulnerabilities, an analysis system (IDS) and must be sufficiently secure and/or isolated to not allow the attacker to be ex-filtrated. The vulnerabilities built into the Honeypot will help to fool the attacker.
Honeypots can be split in two typologies. The first one is a Honeypot partially open to the attacker, where he will have only limited access to the system. The second, on the contrary, gives the attacker full access to the operating system. There are two types of service levels: high level of interaction and low level of interaction; each service level corresponds to a different field of use: high level of interaction Honeypots are mainly used in research while low level of interaction Honeypots are most often used in production. They operate by emulating certain services and systems of operations while having limited interactions. The attacker on this type of Honeypot will not have access to the entire operating system. In our case, we will use high-level interaction Honeypots.
High-level interaction Honeypot consists of the following elements: a resource, data control, data capture system and an external logging system. They are also known to be the second Honeypots generation (GEN-II) and started to be developed in 2002. They are more complex and consist of real operating systems and applications, unlike Honeypot with low levels of interaction. For example, a real FTP server will be built if the Honeypot’s purpose is to retrieve information about attacks on FTP servers.
Honeypots are mainly used in the field of research, military and government organizations. Indeed, these constituting a wealth of information, they make it possible to quickly collect a lot of information on methods used by the Black Hat community. This information will then allow to researchers to better address logic and attack techniques in order to improve defense systems and tools. They also allow the detection of new vulnerabilities and new attack biases in protocols or software. They can also be used to strengthen or control existing intrusion detection systems. They make it possible to collect information of high importance that can be used in statistical or forensic analysis. However, it is important to keep in mind that research on Honeypots are mainly aimed at discovering new attack methods.
Honeypots have evolved a lot in recent years and allow for a more great flexibility with greater profitability. These elements make their deployment and use easier and more efficient in information systems, thus avoiding many errors resulting from human processing through manual configuration. All these elements contribute to the increasing use of Honeypots in many areas.
Honeypots are formidable tools to trap cyber-threat indicators and behaviors. However, depending on where the honeypots is placed, threat could be completely different. Attacks among Chinese Honeypot and Canadian Honeypot will probably be scanned by the same entities but attacks will differ, like tools used. They can therefore be such a great source for CTI but it can also be biases because of their placement.
That the reason why Cyberprotect has deploy an advanced infrastructure in order to efficiently capture global threats. In the next article, we will look at how we have design this global Honeypots infrastructure and how to exploit them in practice.