The information on what attackers are likely to do (also called intelligence) can be very useful in helping the SOC defend against attacks.
Some of this we will get from observing attacks on our system, but if the SOC has done its job properly, that will only get you so far. Now you can put up the equivalent of a sign on the internet which invites people to attack you, but that is not a good idea and will probably invalidate any cyber insurance that you may have.
Another approach is to use what is called a honeypot (you may also come across the term honeynet – this is simply a network of honeypots). A honeypot is special computer that a) contains no files or information of actual value, and b) is walled off from the rest of the environment.
This type of computer provides two valuable sources of information for the SOC. The main source of information is on what the attackers are doing and we will look at this in much more detail later. The second piece of information is often overlooked, but it is the one that interests us now when we are setting up the SOC and that is it can act as a test bed for our monitoring systems and software as honeypots have to be very carefully monitored, and normally in a manner that does not indicate just how closely they are being monitored.
Honeypots are normally classed by the level of interaction they allow a user to have with them. Some honeypots are simply full machines which are patched and have basic security installed, but don’t have special measures put in place to protect them. These are called high interaction honeypots and you can gain a lot of intelligence from them. However, they are easier for an attacker to compromise so they need to be very carefully isolated from the rest of the system and they do require a lot of looking after as you will have to frequently reset them.
A more common approach used by SOCs just wanting to test their systems is to use a low interaction honeypot. These honeypots will not give you as much information, but are easy to set up and maintain. A low interaction honeypot emulates a range of services so it looks like an http server, an ftp, server, an ssh server, etc, but does not allow the full range of interaction that these services would normally allow. This reduced functionality means that it is easier to secure the programs that run these honeypots.
© Coventry University. CC BY-NC 4.0