Honeypots: A sweet solution to the insider threat
A honeypot can be a cheap, easy, and effective warning system against the trusted insider gone bad
Follow @rogeragrimesMy professional life has been full of clients devastated by trusted, internal attackers. In every case, the damage done amounted to hundreds of thousands of dollars. In one case, the victimized company incurred costs exceeding $1 million in recovery efforts. Everyone involved is bound by a nondisclosure agreement, so none of these cases has made the news, even though the service outages have been significant and widespread.
Despite multiple efforts over the last two decades, there is still no cost-effective way to stop a trusted insider from doing tremendous damage when they feel so motivated. The best you can hope for is early detection to limit the damage. Many of the preventive efforts I've been involved in have focused on tightening access controls and improving logging and alerting.
[ Recent computer espionage cases reveal seemingly countless ways to steal data. See "Countering the computer spies." | When planning computer security defenses, let your worst fears be your guide. ]
I've said it before and I'll say it again: One of the best things you can do to get early warning of internal attackers is to implement honeypots. I don't say this simply because I wrote a book on the subject. I recommend honeypots because they're low cost and low noise -- and they work!
Sweet science
Because the internal attackers you seek could be trusted IT employees, the entire project must be kept secret. It should be known only to the sponsor, management, and the implementers. Often, we give the project a boring code name like Marketing Business Development, which is used in all documents and e-mails, avoiding terms having anything to do with honeypots. Don't even tell the network security people about it, in so far as you can and still have an operational project. Then take a few computers that are destined for de-provisioning or the scrap heap and turn them into your honeypots.
Honeypots by their very nature are fake computers that nothing should ever attempt to contact. Their sole purpose in life is to note any connection attempt and report it for immediate investigation. Normally after setting up a honeypot, you'll spend a few hours (or days) filtering out all the normal, legitimate broadcast traffic, plus that of any of the other legitimate computers that normally search the network looking for systems to install software on (anti-virus servers, software install managers, and so forth).
