Reverse Deception: Organized Cyber Threat Counter-Exploitation (80 page)

        
Help respond to attacks

Operational security

        
Use specific intrusion sets (operational missions)

        
Apply lessons learned to computer network defense (CND) posture

        
Gather intelligence about ongoing operations by adversaries within your network

Intelligence gathering

        
Use methodology fingerprinting

        
Discover the unknown

        
Reduce false positives

        
Develop a watch list

Production-based honeynets are easier to hide, close, or mesh within production environments than research-based honeypots. They are also harder to manage than research-based honeynets.

Generation III honeynets were the beginning of the direction toward a more stable, and scalable enterprise-ready honeynet. However, the generation III (Gen III) was, according to some of the developers on the project, “never completed the way it was supposed to be in spirit.” The reason said being that some of the tools and modules for the backend data crunching of the roo and the initial lack of development for kanga had been missed due to resources and time. However, within three years of the initial deployment of Gen III, most of these modules and platforms had been developed as add-ons and are now available today, as they have been for years, on the Honeynet Project’s website
www.honeynet.org/project/
.

Honeynet Architectures

Designing enterprise frameworks is an important step when considering production-based honeynet implementations. When building a production honeynet or grid, you must ensure that important components have identified solutions to generate actionable information or have any value. This is due to the limitations of the system itself through the cumbersome processing and transmission, and the updating of one SQL database to another. Analysts
need
to have access to actionable data within enough time to act when a threat is active or the point of the solution is pointless. When you are engaging an active threat, you need to be presented with and understand observed data in real time. Data access to a honeynet in addition to other devices can help a trained counterintelligence analyst present data in a workflow, process each item, and generate any hypothesis or questions about suspicious observables. The more data available, the better, as it can help validate observed actions or activity. The placement of your honeynets is very important as to where on your enterprise that makes sense for your goals or requirements. Here is a short list of typical locations where honeynets can prove most effective:

Internet gateways

Enclave boundary