The benefits of using a cloud honeypot for threat intelligence

The issue with honeypots

A honeypot is a great weapon in the arsenal of defensive security teams. However, it does come with some challenges.

There is always the risk that an attacker will successfully exploit a honeypot and then manage to move laterally into the actual production network. It is critical for admins to isolate a honeypot from any other networks.

Another challenge is the amount of time needed and the cost of managing a honeypot. The system must be configured and maintained, and the activity needs to be acted upon by the organization's security team for it to be of any value.

It can take a while to structure and fit a honeypot into the operational processes. The information gathered should lead to the kind of actionable intelligence that security teams need for defense -- for instance, by blocking the adversary's infrastructure, creating intrusion prevention system rules, or capturing malware signatures.

Using the cloud

Some of these challenges can be overcome using a public cloud system to host a honeypot.

The public cloud provides complete isolation from any production network. There is also no need for specific hardware or dedicated internet connections. Once a machine has been compromised and the data has been collected, a snapshot can be used to revert the system back to its previous state.

Another advantage of using a cloud honeypot deployment is that it can be distributed anywhere in the world by selecting the desired geographical locations within the cloud system configuration. A sensor can be placed in East Asia one day and moved to Germany the next day with just a few mouse clicks.

Because observable attacks and attackers can differ depending on the location of the exposed system, this is great for research and intelligence gathering purposes. A distributed honeypot network consisting of a manager and several sensors, such as the Modern Honey Network, can benefit from this flexibility.

Limitations of a cloud honeypot

There is a direct correlation between placement and relevance when it comes to honeypots.

For a cloud honeypot to provide the most relevant and actionable output, it needs to be linked to an organization the potential attacker is interested in. This could be done with a fake company website or a registered domain name. Only then will the organization be able to observe highly targeted attacks rather than simple scans by attackers looking for any low-hanging fruit.

If it's possible, placing a honeypot within the organization's existing cloud perimeter can also help identify targeted attacks, but the isolation needs to be well-designed.

There is also a legal and policy aspect to the use of cloud honeypots. Some cloud providers do not like the idea of directing hackers into their networks and collecting malware within their infrastructure. After all, once the host is compromised, there is a chance it can be used to attack other targets on the internet. This could damage the reputation of the cloud provider that hosts the compromised system and could lead to that provider's IP ranges and domains being blocked, affecting its other customers.

When in doubt, always look at the vendor's online usage policies or contact the provider for permission before setting up a cloud-based honeypot system.

Honeypots require a lot of maintenance in order to reach their full potential. They also offer some risks. By using a cloud platform, at least the risk of cross-contamination between a honeypot and a production system can be reduced to almost zero. Adding in the benefit of the significant flexibility of deployment locations and the cloud becomes a great environment for any organization ready to take the first steps into the realm of honeypot deployments.