Reverse Deception: Organized Cyber Threat Counter-Exploitation (80 page)

Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online

Authors: Sean Bodmer

Tags: #General, #security, #Computers

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation
13.81Mb size Format: txt, pdf, ePub
        
Help respond to attacks
Operational security
        
Use specific intrusion sets (operational missions)
        
Apply lessons learned to computer network defense (CND) posture
        
Gather intelligence about ongoing operations by adversaries within your network
Intelligence gathering
        
Use methodology fingerprinting
        
Discover the unknown
        
Reduce false positives
        
Develop a watch list

 

Production-based honeynets are easier to hide, close, or mesh within production environments than research-based honeypots. They are also harder to manage than research-based honeynets.

Generation III honeynets were the beginning of the direction toward a more stable, and scalable enterprise-ready honeynet. However, the generation III (Gen III) was, according to some of the developers on the project, “never completed the way it was supposed to be in spirit.” The reason said being that some of the tools and modules for the backend data crunching of the roo and the initial lack of development for kanga had been missed due to resources and time. However, within three years of the initial deployment of Gen III, most of these modules and platforms had been developed as add-ons and are now available today, as they have been for years, on the Honeynet Project’s website
www.honeynet.org/project/
.

Honeynet Architectures

Designing enterprise frameworks is an important step when considering production-based honeynet implementations. When building a production honeynet or grid, you must ensure that important components have identified solutions to generate actionable information or have any value. This is due to the limitations of the system itself through the cumbersome processing and transmission, and the updating of one SQL database to another. Analysts
need
to have access to actionable data within enough time to act when a threat is active or the point of the solution is pointless. When you are engaging an active threat, you need to be presented with and understand observed data in real time. Data access to a honeynet in addition to other devices can help a trained counterintelligence analyst present data in a workflow, process each item, and generate any hypothesis or questions about suspicious observables. The more data available, the better, as it can help validate observed actions or activity. The placement of your honeynets is very important as to where on your enterprise that makes sense for your goals or requirements. Here is a short list of typical locations where honeynets can prove most effective:

Internet gateways
Enclave boundary

Other books

Promise the Night by Michaela MacColl
Escape the Night by Desiree Holt
Her Notorious Viscount by Jenna Petersen
The Pleasure of M by Michel Farnac
Magic by Moonlight by Maggie Shayne
Prince of Passion by Jessa Slade