What’s the Difference Between a High Interaction Honeypot and a Low Interaction Honeypot?
A honeypot is a decoy system that is intentionally insecure, used to detect and alert on an attacker’s malicious activity. A smart honeypot solution can divert hackers from your real data center, and also allow you to learn about their behavior in greater detail, without any disruption to your data center or cloud performance.
Honeypots differ in the way that they’re deployed and the sophistication of the decoy. One way to classify the different kinds of honeypots is by their level of involvement, or interaction. Businesses can choose from a low interaction honeypot, a medium interaction honeypot or a high interaction honeypot. Let’s look at the key differences, as well as the pros and cons of each.
Choosing a Low Interaction Honeypot
A low interaction honeypot will only give an attacker very limited access to the operating system. ‘Low interaction’ means exactly that, the adversary will not be able to interact with your decoy system in any depth, as it is a much more static environment. A low interaction honeypot will usually emulate a small amount of internet protocols and network services, just enough to deceive the attacker and no more. In general, most businesses simulate protocols such as TCP and IP, which allows the attacker to think they are connecting to a real system and not a honeypot environment.
A low interaction honeypot is simple to deploy, does not give access to a real root shell, and does not use significant resources to maintain. However, a low interaction honeypot may not be effective enough, as it is only the basic simulation of a machine. It may not fool attackers into engaging, and it’s certainly not in-depth enough to capture complex threats such as zero-day exploits.
Is a High Interaction Honeypot a More Effective Choice?
A high interaction honeypot is the opposite end of the scale in deception technology. Rather than simply emulate certain protocols or services, the attacker is provided with real systems to attack, making it far less likely they will guess they are being diverted or observed. As the systems are only present as a decoy, any traffic that is found is by its very existence malicious, making it easy to spot threats and track and trace an attackers behavior. Using a high interaction honeypot, researchers can learn the tools an attacker uses to escalate privileges, or the lateral movements they make to attempt to uncover sensitive data.
With today’s cutting-edge dynamic deception methods, a high interaction honeypot can adapt to each incident, making it far less likely that the attacker will realize they are engaging with a decoy. If your vendor team or in-house team has a research arm that works behind the scenes to uncover new and emerging cyber threats, this can be a great tool to allow them to learn relevant information about the latest tactics and trends.
Of course, the biggest downside to a high interaction honeypot is the time and effort it takes to build the decoy system at the start, and then to maintain the monitoring of it long-term in order to mitigate risk for your company. For many, a medium interaction honeypot strategy is the best balance, providing less risk than creating a complete physical or virtualized system to divert attackers, but with more functionality. These would still not be suitable for complex threats such as zero day exploits, but could target attackers looking for specific vulnerabilities. For example, a medium interaction honeypot might emulate a Microsoft IIS web server and have sophisticated enough functionality to attract a certain attack that researchers want more information about.
Thinking about your Return on Investment
One way to decide what kind of honeypot you need is to consider the ROI, how much the honeypot solution is costing you in management overhead, compared to the actual detection of cyberattacks. We recommend the following calculation. Take the amount of quality incidents that your honeypot uncovers each month, and divide that by the hours you invest in the system in said month. If your result is smaller than one, then you have a problem. Your honeypot solution is costing you more than it’s worth. A low interaction honeypot usually takes a substantial amount of time to manage and update, but even if you only invest 5 hours a month, and find just 1 quality incident, that’s very low ROI. In contrast, higher interaction honeypot solutions usually take the same amount of time to manage but are more effective in uncovering incidents. You would invest the same amount of time but get substantially more incidents- that’s serious value for money.
It’s essential to think about coverage when you are working out your ROI. A large number of incidents that only cover a small portion of the network might not be worth the maintenance and cost requirements. Look at the projected costs for covering more of the network, and extending the amount of hours you need. Will the ROI remain good?
Reducing Risk When Using a High Interaction Honeypot
Once you’ve established that the ROI makes the cost and maintenance needs worth it, using a high interaction honeypot is the best way of using deception technology to fool attackers and get the most information out of an attempted breach. Sophisticated honeypots can simulate multiple hosts or network topologies, including HTTP and FTP servers and virtual IP addresses. The technology can identify returning hackers by marking them with a unique passive fingerprint. You could also use your honeypot solution to separate internal and external deception, keeping you safe from cyber threats that move East-West as well as North-South.
Mitigating the risk of using a high interaction honeypot is easiest when you choose a security solution that uses honeypot technology as one branch of an in-depth solution. Micro-segmentation technology is a powerful way to segment your live environment from your honeypot decoy, ensuring that attackers cannot make lateral moves to sensitive data. With the information you glean from an isolated attacker, you can enforce and strengthen your policy creation to double down on your security overall.
Actionable Information is Sweeter than Honey
Whichever type of honeypot solution you use, the most important element to consider is how actionable your intel is from the system. Looking at the numbers may inspire confidence in the solution, especially if your ROI looks strong with low-effort and high returns on your incidents.
However, none of those numbers mean anything if your SOC team can’t do something with the information that’s coming in. Ask yourself a simple question. Does your honeypot system allow you to detect actual threats inside your infrastructure? Take just one incident, and assess whether the person receiving the alerts understands and can respond to the incident effectively. If not, it simply doesn’t matter.
Understanding the differences between low, medium and high interaction honeypot solutions is the first step to making a smart choice for your company. While a low interaction honeypot might be simple to deploy and low risk, the real benefits come from using a strong, multi-faceted approach to breach detection and incident response that uses the latest high interaction honeypot technology. For ultimate security, a solution that utilizes microsegmentation ensures an isolated environment for the honeypot. This lets you rest assured that you aren’t opening yourself up to unnecessary risk while reaping the rewards of a honeypot solution.
With Guardicore Centra, you get a honeypot solution that is built with key criteria in mind, so that you get the best return on your investment. Our honeypot is zero-touch, and zero-configuration, minimizing the amount of time and effort you need to spend on maintaining the solution. Furthermore, it provides full coverage of the network without compromising on ROI, facilitating high-interaction incidents that are easily readable and actionable.
Want to learn more about how to accelerate microsegmentation for your data center?
