WHY HONEYPOT TECHNOLOGY IS NO LONGER EFFECTIVE

Transcription

1 WHY HONEYPOT TECHNOLOGY IS NO LONGER EFFECTIVE How a cloud-based service is able to detect threats from multiple vectors at a faster rate than traditional on premise solutions Learn more by visiting 2014 isheriff. isheriff is a registered trademark of isheriff. All other trademarks are the property of their respective owners. Specifications subject to change without notice. All rights reserved.

2 There are a large number of different techniques used in network security. Some fit specific situations well and others not so well. Some experience a reduction in effectiveness over time. Often, new technologies, often much more effective, come in and take their places. One of these technologies is called honeypots. For years traditional security companies have used honeypots as the primary method for collecting threat samples. An important issue with this methodology is that a honey pot is not truly a live environment. It does not behave exactly like a real end-user environment because it is generally automated and programmed to behave in a certain way. This also means that threats that require user interaction can be missed by the automated honeypot and the security researches analyzing this small subset of data. Fig. 1 - Example of a spear phishing requiring user interaction Honeypots have and will continue to have their place in a security infrastructure. A honeypot network used as a decoy for attackers can help to identify targets, and attackers before they attack the main network. However, honeypot technology is not sufficient to cover all the pending threats. Honeypots by their nature are marginally effective in identifying malware threats that could target endpoints via the web or . Honeypots do not behave like a typical user would. Most honeypot systems are automated to behave in a certain manner. This means that any unanticipated user interaction, or attempts to trick the user, can be missed. Handling Today s Threats The majority of today s threats are socially engineered and targeted specifically to get around honeypot based detection systems. These targeted attacks are referred to as spear phishing attacks. Spear phishing consists of messages that are specifically targeted to an organization, a specific demographic of users or in some cases, a specific user. These messages are socially engineered to drive the user to take the action of visiting a web page where the users machine can be infected by a download or drive-by malware attack. Since the likelihood of a honeypot meeting the requirements of these targeted attacks are very low, spear phishing attacks are often not detected by honeypot-based security tools until a large number of users have been infected.

3 New Technologies Reduce the Problems Fig. 2 - Data is collected in real-time from around the globe Additionally, many honeypot detection systems are built in environments using virtual machines. The cybercriminals behind today s malware are aware of this and will often detect the use of a virtual environment. If a virtual environment is detected, the malware will not run in order to ensure it is not detected, thus rendering the honeypot ineffective. New technologies are now in use that get past the limitations of honeypots. Particularly important is that with a cloud-based security tool, all potential threats are scanned realtime in the cloud in data centers around the globe. In these in stances, the labs team works with a console that consolidates information from data centers all over the globe into a single view. At any given moment our labs researchers could be identifying a zero-day Trojan that originated in Ukraine and a new Ransomware variant that has first appeared in Canada. It is this unique approach to collecting global data in real time allow cloud-based security vendors to identify threats early, usually on day zero. Cloud Security can provide protection in , Web and Endpoint. This means that the data analyzed by the security labs team is coming directly from the three main threat vectors for todays Malware. Best of all, is that the Fig. 3 - Global data shared across multiple vectors is the heart of isheriff Cloud Security

4 data being analyzed comes from real, live users. None of the data analyzed contains any identifiable information, but what it does contain is the information that is needed to identify an attack. Once a threat is identified, that single threat provides the ability to establish protection measures for all threat vectors. For example, if a spear phishing attack is detected, not only is the service updated to protect against the threat, but the web and endpoint services are also updated so that even if a user receives an message, their clicking on the link, or downloading of the file will be protected. It is this cross pollination of identification of threats and protection of threats that is happening round the clock that provides the real-time zero day protection needed in today s threat landscape. About isheriff isheriff s cloud-based security is the simplest and most cost-effective way to protect data and devices from digital threats. Delivered as a continuously updated cloud service that is easy to deploy and manage from a single pane-of-glass console, isheriff provides advanced multi-layered threat protection to keep your organization secure. For more information visit Conclusion Since today s threats are largely encountered via web or , it is extremely important to have this cross-pollination taking place. Many cases of spear phishing attacks contain no malware, yet encourage the enduser to click on a link that will cause them to load a web page with malware on it. So understanding the intricate relationship that exists between the different vectors, coupled with the ability to identify and protect threats across multiple vectors in real-time is important and often not readily available from traditional web, and endpoint security vendors.

5 Learn more by visiting 2014 isheriff. isheriff is a registered trademark of isheriff. All other trademarks are the property of their respective owners. Specifications subject to change without notice. All rights reserved.