National cyber security authorities can use honeypots – dummy IT resources whose sole purpose is to be attacked – to detect cyber threats without putting production systems at risk, according to a new report from the EU security agency ENISA.
A honeypot or ‘digital trap’ is a server, application, system or dataset put online to attract cyber attackers. According to ENISA, they can help Computer Emergency Response Teams (CERTs) to gain insight into how the latest cyber attacks work and therefore how they might be thwarted.
"Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT’s constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics," said Udo Helmbrecht, executive director of ENISA.
"Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies’ assets," Helmbrecht said.
ENISA’s report, which was launched on Thursday, describes various kinds of honeypot. A server-side honeypot, for example, sits on a server connected to the Internet and analyses network port activity for signs of malicious attacks. A client-side honeypot uses an application such as a web browser to connect to remote services and monitors all generated activity.
The study found that possible barriers for honeypot deployment include difficulty with usage, poor documentation, lack of software stability, lack of developer support and little standardisation and, in general, a requirement for highly skilled people to handle and maintain honeypots.