Top honey pots & reviews of canary

sunhux
sunhux used Ask the Experts™
on
Can anyone recommend the best honey pots esp those that are effective against
APTs & ransomwares?

We are looking at https://canary.tools  : any reviews on this company's honeypot?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
You never see APT coming.
btanExec Consultant
Distinguished Expert 2018
Commented:
You can check out TrapX CrypotTrap.
known as Deception Tokens – you can leave a trail of breadcrumbs that lead ransomware seeking network storage back to an SMB decoy, effectively luring the ransomware into a trap.  Without needing ANY third party quarantine solutions, the source machine is also taken off the network, and alerts are raised.  Only a tiny fraction of the files that would have been lost are encrypted.  However, if you choose NOT to disconnect the compromised machine, the ransomware can be kept in a cycle where it has a large number of files to encrypt, effectively keeping it from spreading to other network shares, so no more valuable data is scrambled.
https://trapx.com/product/

The safeguards are paramount as any inadvertent ransomware is set loose, it may compromise the network and other asset, containment controls are required to trap it within its doing of the malicious act and not venture to other area not intended too..or exposed purposely. Another candidate is Attivo that looks at kill chain, so called "APT" advances from recon to exploitation to persistence..

Author

Commented:
Thanks.

Next question my management will ask is:
how do we assess which honeypot is better ?

Esp we have been attacked several times by ransomware
& we have 30000-120000 emails with malwares (about 60-75% of these malwares are ransomwares) in it
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
So can I say TrapX is more specialized than the one by canary in trapping ransomwares?
Exec Consultant
Distinguished Expert 2018
Commented:
The qns is not how you assess which honeynet is better as it depends how enticing you create the "breadcrumbs" and how "involved" you want the honeypot to be interacting with the attacker. The more crumb does not mean honeypot will get better results but it may backfire as it becomes hint to the threat actor, same for the interactive honeypot as a single mistake or misconfiguration, it can fail your whole implementation. But if you need some pointers, then you can assess
a) its flexibility to become interactive or passive - how long to facilitate the continuous interaction adn what user action required
b) its extensiveness of honey token that can be created - how many real and dummy data needed
c) its false positive rate to confirm penetration - how early it started
d) its safeguards to confirm no wild cross infection to prohibit certain zone or segment - the fail secure mechanism
e) its clean up of the token deployed, its reporting and notification of events, its self learning to baseline environment and log piping to SOC
f) its deployment speed and ease without disruptive changes to the environment

TrapX has use case to trap ransomware and give what they are looking at and target "their sweet spot" like document folder, desktop store, mapped drive, external drive,  etc..Canary is specific to the token to be deployed and I am not sure if it can simulate what CryptoRansomare is looking out for... best is that you can try out RanSim against the honeypot and see how it responds in a isolated environment ...
Top Expert 2015
Commented:
Maybe start with email filtering?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial