This application generally relates to computer network security, and in particular, a system that configures honeypot devices to detect and respond to unauthorized access to information assets.
Attacks originating internally as well as externally from a computer network occur daily, but the ability to detect more aggressive targeted methods is usually difficult for even the most well-developed organizations. Although many enterprise security teams have implemented next generation firewalls, deep-packet inspection, anomaly detection, heuristics, data loss prevention, event correlation as well as many other technologies, there is still a gap within the coverage. Most of these technologies rely upon traffic crossing a device that will log an event. Such traffic may be referred to as North/South traffic, but generally speaking, East/West or lateral traffic is usually not captured between two hosts on the inside of a network. As a result, once an attacker has successfully gained access to a network, most of the attacker's actions afterwards will go undetected. Furthermore, the ability to detect internal attacks is often lacking and prone to false positives.
Existing honeypot technologies address this problem through the use of deception. By creating decoy targets, and enticing malicious users to them through open services and the potential for valuable data, security teams are able to root out illegitimate traffic and users quickly. When a connection is made to a honeypot, it is known that the action is not from a legitimate user, and thus, making the rate of false positives very low. This field has existed in computing for decades, but as the threats have evolved, so to must the security layers and implementations.