Honeypots don’t have to be servers. They can take the form of folders or SharePoint sites with sensitive-looking data, a fake Active Directory group that grants “privileged” access, an “executive” email box, or even a Microsoft Teams channel that has fake data and conversations. The goal of the honeypot is to draw attention, so anything that looks like sensitive data or a potential pathway to sensitive data can work.
With Varonis, you can create custom real-time alerts to trigger whenever there’s activity on your honeypot, giving your Incident Response team a heads up that someone is snooping around the network. Varonis’ robust audit trail can help you quickly investigate whether that access is innocuous or concerning so that you can act quickly to prevent real sensitive data compromise.
Creating the Honeypot with a Custom Real-Time Alert
DatAlert provides the threat detection capabilities to the Varonis Data Security Platform. In addition to the advanced user behavior analytics and pre-built threat models, you can also create custom alerts.
First, you need to create a honeypot. There are several kinds of honeypots, and you can read this academic research all about them. We will use a low-interaction honeypot for our purposes today, which is an enticing-looking file in an insecure folder.
Second, you need to create a custom alert on your honeypot.
Click the green plus to open the dialog to add a new alert.
In the General tab, enter the new rule name, select the severity, which for a honeypot should be “4-Warning.” Select your Alert Category and the type of resource where your honeypot lives in the Resource Type drop-down – I selected “Lateral Movement.” You can leave the rest of the options at their defaults.
Skip the Who tab, because we want this alert to trigger if anyone accesses the honeypot.
Select the server and honeypot directory in the Where tab.
In the What tab, select the events related to file and folder access.
Skip to the Alert Method tab to set instructions for a response to tripping this alert. You can send emails, trigger alerts in SIEMs, or run a PowerShell script. We use scripts to disable user accounts and then power down their computers to remove them from the network.
Click Apply and wait for someone to fall into the honeypot.
Investigate the Incident
When a user trips the alarm, you can use the WebUI to create a total picture of their movements through your network. Non-malicious users will fall into the honeypot out of simple human curiosity. They will cause some false-positives. Diving into the alert details will help weed those out.
In the WebUI, set the activity filter to the user that fell into the honeypot.
With a wealth of audit data, you can easily retrace the users’ steps. This forensic data is crucial to know for data breach notification requirements and can help remediate a cyberattack.
Better Security With Behavioral Analytics
Honeypots can be important tactical tools, but they aren’t adaptive, and you certainly don’t want to depend on honeypots to detect advanced threat actors. Dynamic, behavior-based threat models like the ones that come out-of-the-box with DatAlert are much better at detecting stealthy attackers with few false positives.
Rather than set up artificial honeypots, DatAlert can detect when users begin accessing real data in abnormal ways – such as a sysadmin reading the CEO’s inbox and marking messages as unread or a service account that is accessing sensitive Office documents then connecting to the internet for the first time.
Sign up for a Varonis demo to see how we approach cybersecurity differently.