by Clint Sand, Director of Security Strategy & Advisory
Generally we see most breaches are sourced from 3 distinct groups. Malicious Insiders, Well-meaning Insiders, and Malicious Outsiders. Each source, and their unique motivators, should ideally be emulated in a testing process to ensure the results match real-world conditions. Honeypots are useful for understanding the behavior of a Malicious Outsider and to some extent, the Malicious Insider. They are like attacker surveillance cameras. Organizations often leverage honeypots to learn about attacker behavior, deflect attacks to lower valued targets, and discover the new zero day vulnerabilities attackers are exploiting in a system.
However, if you look at the attack phases of a typical Advanced Persistent Threat, a good majority of the high-profile breaches are the result of spear phishing. Well-meaning end users have become the most effective targets for attackers looking to penetrate your environment. Why bother hacking through a network of servers and vulnerabilities which could possibly trip alarms when you can just socially engineer end users to hand you their login details? Honeypots are not relevant to test this risk.
You need to establish testing practices which test your end users knowledge and awareness of phishing attacks and how to deal with them to have a comprehensive look at your security posture. You can have a complete view of every vulnerability in the servers, workstations, and networking gear in your environment but ultimately end up on the front page of a newspaper the very next day without this same level of visibility into the probability your end-users will fall victim to clever Social Engineering tactics. While honeypots are valuable, we are seeing more interest in incorporating end-user social manipulation attacks as a relevant focus area for testing.