Perimeter security has made leaps and bounds for detecting and preventing attacks. However, rules and detection methods cannot catch everything. The big question is: What should you do once malware or an attacker is in an environment? Answer: Honeypots.
They work as an early-alerting system for complex attacks, and produce very few false positives, when tuned properly, compared to firewalls, IPS, and IDS. The sole purpose of a honeypot is to be probed, attacked, and compromised. This is accomplished by mimicking any resource, service, application, system, or network. All activity between the honeypot and malware/attacker is monitored, alerted on, and analyzed. Some examples of activity can be: scanning for activity of worms or bots, looking for internal threats, detecting compromised nodes, identifying new exploits and vulnerabilities, or capturing new malware.
Honeypots are one of the most underutilized ways to detect a threat once it has hopped the fence of perimeter security. However, the email security industry has relied heavily on the honeypot, or spamtrap, as one of their most widely used and effective ways to detect incoming phishing and spam. Perhaps this disparity exists because honeypots in a production environment are commonly viewed as an insecure holes that allows an attacker into the environment. This should not be the case. A honeypot can be deployed in a normal secured environment, or in an isolated DMZ. Obviously, once a threat has been detected by a honeypot the normal environment can no longer be referred to as secure. The moment that a honeypot has been compromised, a threat has found a way into your environment and all of your servers are exposed. It should be assumed that anything on the network with the honeypot is or will be compromised as well. In this scenario, you still get the benefit of early alerting regarding the compromise.
Deploying a properly isolated honeypot is also worth the effort. Based on the information that is produced through the alerting and reporting, we can gain insights into our operating systems and servers, host protections, and information protections. By monitoring a live infection or attack, we can learn how these areas of the security model are being comprised by threats.
With BYOD being more prevalent every day and attack vectors growing, a detection mechanism such as a honeypot could end up being invaluable.
Just as a precautionary note this approach must be implemented with the proper expert guidance and strategic planning otherwise it can introduce unwanted threats into an environment.