6

From what I understand honeypots in addition to honey tokens are meant to prevent malicious insiders. Given recent high profile cases involving malicious insiders (Snowden), why are honeypots not deployed more frequently? Is it because honeypots are not easy to deploy? Or is it because that it is not very effective?

mrQWERTY
  • 443
  • 3
  • 7
  • 2
    Who would be responsible to setup the honey pot for a system administrator? Who watches the watcher? –  Aug 09 '15 at 13:13
  • The watcher is a point of failure. But not having a watcher and a honey pot system introduces even more points of failures since any one on the inside is a potential threat. – mrQWERTY Aug 09 '15 at 14:25

2 Answers2

2

There are legalities of honeypots that need to be considered. Here is a much older article, but does provide some information. In general, from what I've seen, the industry has moved away from honeypots.

For one, their effectiveness hasn't been established on a large enough scale to be of use to companies. Secondly, the legalities have made it difficult to run. For example, Super DMCA kept LaBrea Tarpit from becoming widely adopted.

That doesn't mean honeypots don't have their place, or can't be effective, but their use should be weighed with the problem being solved and the laws in the locale that they are being run.

kenorb
  • 819
  • 4
  • 9
  • 27
  • 2
    Honeypots need to be carefully considered so as not to fall afoul of "entrapment" issues, but as a "canary in the mine", I find them invaluable. In short: don't use a honeypot as a sole means of defining unauthorized activity, but rather use them as an event generator to prompt further investigation into unauthorized activity that has already happened. – schroeder Aug 09 '15 at 19:36
2

Honeypots are "Security by Obscurity" when employed to catch insiders. Once it is known what the honeypot is, it is no longer effective.

On the other hand, honeypots employed to catch external users who have gained insider access can be very useful (I use them all the time). In this case, you can publicize the existence of the honeypot to internal users so that any activity on the honeypot is suspicious.

Legal issues scare people away (read HexTitan's link), honeypots can generate large numbers of false positives (making them potentially expensive to manage), and they need to be carefully designed so that they do not become an attacker's asset.

All these issues combined have come up when I suggest employing honeypots in my organizations. I have successfully countered the arguments, but the resistance has always been huge.

In short: the term "honeypot" is a broad term, and confusion and ambiguity as a result of the vagueness result in resistance from management to use honeypots, in general.

schroeder
  • 129,372
  • 55
  • 299
  • 340
  • You wrote "I use them all the time". Did they helped to prevent attack or finding attacker? Can you please give examples of there effectivness from your practice? – vasili111 Aug 10 '15 at 07:43