“粘蜜罐” are decoy systems or servers deployed alongside production systems within your network. 当被部署为攻击者的诱人目标时, honeypots can add security monitoring opportunities for blue teams 和 misdirect the adversary from their true target. “粘蜜罐” come in a variety of complexities depending on the needs of your organization 和 can be a significant line of defense when it comes to flagging attacks early. 本页将更详细地介绍什么是蜜罐, 如何使用它们, 以及实施它们的好处.
蜜罐有许多应用程序和用例, 因为他们的工作是将恶意流量从重要系统转移出去, 在关键系统受到攻击之前获得当前攻击的早期预警, 并收集有关攻击者及其方法的信息. If the honeypots don’t actually contain confidential data 和 are well-monitored, 您可以深入了解攻击者工具, 战术, procedures (TTPs) 和 gather forensic 和 legal evidence without putting the rest of your network at risk.
要使蜜罐起作用,该系统应该看起来是合法的. 它应该运行生产系统预期运行的流程, 并包含看似重要的虚拟文件. The honeypot can be any system that has been set up with proper sniffing 和 logging capabilities. It’s also a good idea to place a honeypot behind your corporate firewall—not only does it provide important logging 和 alerting capabilities, but you can block outgoing traffic so that a compromised honeypot cannot be used to pivot toward other internal assets.
In terms of objectives, there are two types of honeypots: research 和 production honeypots. Research honeypots gather information about attacks 和 are used specifically for studying malicious behavior out in the wild. Looking at both your environment 和 the wider world, they gather information about 攻击者的趋势, 恶意软件菌株, 漏洞 这些都是对手的攻击目标. This can inform your preventative defenses, patch prioritization, future investments.
生产“粘蜜罐”, 另一方面, are focused on identifying active compromise on your internal network 和 tricking the attacker. 信息收集仍然是一个优先事项, as honeypots give you additional monitoring opportunities 和 fill in common detection gaps around 识别网络扫描 和 横向运动. 生产“粘蜜罐” sit with the rest of your production servers 和 run services that would typically run in your environment. Research honeypots tend to be more complex 和 store more types of data than production honeypots.
在生产和研究蜜罐内, there are also differing tiers depending on the level of complexity your organization needs:
目前使用的几种蜜罐技术包括:
“粘蜜罐” offer plenty of security benefits to organizations that choose to implement them, 包括以下内容:
他们打破了攻击者的杀戮链,减缓了攻击者的速度
当攻击者在您的环境中移动时, 他们进行侦察, 扫描你的网络, 寻找配置错误和易受攻击的设备. 在这个阶段, 他们很可能会把你的蜜罐绊倒, 提醒您调查并遏制攻击者访问. This allows you to respond before an attacker has the chance to successfully exfiltrate data from your environment. Malicious actors can also spend a significant amount of time trying to work on the honeypot instead of going after areas that have real data. Diverting their attack to a useless system wastes cycles 和 gives you early warning of an attack in progress.
它们很简单,维护成本低
现代蜜罐不仅易于下载和安装, but can provide accurate alerts around dangerous misconfigurations 和 attacker behavior. 在某些情况下, your team might even forget that a honeypot was ever deployed until someone starts poking around your internal network. 不像 入侵检测系统, honeypots do not require known-bad attack signatures 和 fresh threat intel to be useful.
它们可以帮助您测试事件响应流程
蜜罐是一种帮助您提高安全性成熟度的低成本方法, as they test whether your team knows what to do if a honeypot reveals unexpected activity. 你的团队能调查警报并采取适当的对策吗?
蜜罐不应该是你的全部威胁检测策略, but they are another layer of security that can be helpful in discovering attacks early. They are one of the few methods available to security practitioners to study real-world malicious behavior 和 catch internal network compromise. Want to learn more about other types of tech that can boost your blue team defenses? 查看我们的网页 欺骗技术.