Across the IT security space, there has been a growing school of thought that acknowledges no security is impregnable. Breaches will occur, and more focus and budget needs to move from perimeter defense to containment and mitigation after the fact.
Some in government IT are even taking this a step further. If security breaches are a regrettable fact of life online today, why not use them to learn more about the bad guys? According to a recent article from Aliya Sternstein at Nextgov, that is exactly what some government agencies are now doing.
In the article, the White House, U.S. Postal Service and the State Department delayed full defensive measures against malicious activity in order to learn about the hackers’ techniques. In security circles this is known as using a “honeypot,” a known vulnerability which is then carefully monitored to gain insight into the activities of hackers and learn how to better prevent further breaches.
“They are going to do things in a controlled manner to understand the adversary,” said Jasper Graham, a 15 year National Security Agency veteran. “They are by no means going to put sensitive data at risk. There’s no sense in giving up the crown jewels, just to run an experiment.” Graham has worked with U.S. Cyber Command and other intelligence agencies to combat network attacks.
How long a honeypot is studied before taking action is a cost benefit analysis that varies by agency and attack. Some have criticized agencies for waiting too long to mitigate and, in some cases, publicly disclose breaches. At a hearing last month House leaders questioned Postal Service staff whether two months was too long to wait, once it was determined that employee Social Security numbers had been compromised.
Security experts say honeypots are a vital way to learn about new attack indicators and threat information, which can then be shared with other agencies for better cybersecurity. Immediately disclosing compromises would alert the hackers and cause them to cease all activities.
Using compromised systems as honeypots is the kind of innovative thinking required to protect government networks. Of course agency IT leaders need to balance benefit and risk when making these decisions. But they also should be supported when attempting new ways to keep up in the cybersecurity battle.