In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Microsoft has opened up about one weapon in its arsenal against cyberattacks: deploying honeypots, which create attractive online resources and simulated activity to attract cybercriminals to their web.
Ross Bevington, UK-based security software engineer at Microsoft, who calls himself Microsoft’s “Head of Deception” speaks of “hybrid high-interaction honeypots“.
These honeypots can be as effective against nation-state groups as they are against low-level hackers.
Honeypots are deceptive cybersecurity technologies that lure cybercriminals into a controlled environment. They allow security teams to monitor their activities, analyze their techniques, and potentially disrupt their operations.
Today, Techopedia explores Microsoft’s honeypot tactics and speaks to industry experts about the pros and cons of tech giants going on the attack.
Key Takeaways
- Microsoft is actively deploying honeypots to directly target cybercriminals, showcasing a more proactive approach to cybersecurity.
- There’s a growing interest in deception-based security solutions, which can significantly disrupt attacker operations and provide valuable intelligence.
- While honeypots can be powerful tools, organizations have to consider the legal and ethical implications, especially around data privacy and legal repercussions.
- Deception can be effective —but it must be used along with traditional security measures.
Head of Microsoft Deception Reveals New Honeypots Tactic
Security experts who believe in the potential of honeypots set these traps up… and wait. But Bevington is not the waiting kind of expert.
He spoke to BSides Exeter, an organization known for its cybersecurity conference held in Exeter, UK, in a video presentation of Microsoft’s most aggressive honeypot strategies.
Bevington uses intelligence gathered by Microsoft, identifies hundreds of thousands of active phishing sites every day, and signs up to criminal infrastructure that meets certain criteria.
Attackers who fall into the trap — about 5% — are then tracked meticulously, giving away their tactics, techniques, technologies, and networks.
John Hammond, Principal Security Researcher at Huntress, a cybersecurity company, told Techopedia that a small but growing number of cyber deception-based security solutions, such as CounterCraft, Thinks Canary, CyberTrap, and others, are available as software for larger platforms.
“Some security teams tend not to leverage deceptive capability just because they aren’t yet aware of how effective they can be.
“I would strongly agree that there is a significant need for deception-based security mechanisms because, frankly, it works so well against adversaries.”
“When deception is deployed throughout an environment, threat actors can be genuinely terrified — because they don’t know what to trust.”
Victor Acin, Head of Threat Intel at Outpost24, a platform for cybersecurity risk management, also spoke to Techopedia about deception-based security solutions — although he pointed out an inherent risk.
“In the end, you are purposefully exposing part of your infrastructure so that attackers can actually breach it,” Actin said.
“Whilst it might shine some very interesting insights into the attackers and alert the security teams, a mistake could mean that the breach becomes a serious incident.”
The Ethical Considerations of Aggressive Proactive Cybersecurity
Some security professionals working in the private sector believe there are ethical considerations regarding honeypots, as these techniques are employed not only by cyber criminals but also by aggressive actors.
Thi Tran, Assistant Professor of Management Information Systems specializing in Cyber Security research from Binghamton University, said:
“Technically, this approach has been widely used by cybercriminals rather than cybersecurity agencies, officers or experts.”
However, Tran recognized that honeypots and deceptive security can help companies create a better cybersecurity culture through simulations while supporting CISOs with the intelligence needed to protect the digital attack surface of their organization.
Does the Global Cybersecurity Storm Call for Escalated Actions?
The recent Microsoft Digital Defense Report 2024 reveals the shocking scale of threats in the wild today.
The report found that Microsoft customers face 600 million attacks every day from nation-states, ransomware gangs, and identity attacks.
Perhaps it is natural that top CISOs and leading security teams around the world ask themselves: is it time to go on the offense? We put the question to Acin from Outpost24.
“This depends on the type of organization and the willingness to take risks. With the scale and sophistication of today’s cyber threats, aggressive deception-based security is becoming more relevant.
“These solutions can be highly effective in not only slowing down attackers — but deception should be carefully implemented to avoid unintended consequences, such as legal or operational risks.”
In contrast, Assaf Morag, Director of Threat Intelligence at Aqua Nautilus at Aqua Security, told Techopedia that deception-based security may not be the answer to the state of global threats.
“What Microsoft is doing is amazing and inspirational against phishing crimes, but it’s just one tool of many.
“I think that only cooperation between nations, including potentially a global law enforcement will be able to solve this.”
In contrast, Hammond from Huntress believes organizations should take a stronger posture and proactive measures.
Hammond explained that even a simple fake “passwords.txt” file that sounds the alarm when it is accessed can be a useful tool for security teams.
“When done right, these deceptive efforts can really turn the tables for threat actors.”
Complying with the Law when Setting up Honeypots
While honeypots and other deceptive technologies are not illegal, organizations that deploy them must consider legal and ethical standards in the U.S., Europe, and other regions.
Honeypot designs must be developed to meet the demands of laws such as the E.U. General Data Protection Regulation (GDPR), or privacy laws in the U.S.
Additionally, sectors like healthcare can use honeypots to secure electronic protected health information (ePHI) but these technologies must be framed under the Health Insurance Portability and Accountability Act (HIPAA).
Similarly, other industries have other requirements, such as federal contractors, who have to meet federal compliance.
Security teams also have direct responsibilities, such as reporting crimes to authorities, ensuring downstream security and third parties’ integrity, and protecting personal data.
Dr. Johannes Ullrich, Dean of Research at SANS Institute, empowering cyber security practitioners and teams with training, certifications, and degrees, told Techedopia that honeypots provide a great low false positive source of highly actionable alerts, but so far, deception is not considered by most compliance regiments.
“Deploying known weakly configured and vulnerable assets can be considered in violation of many compliance regiments,” Dr. Ullrich said.
“However, in these situations, a honeypot is often configured in line with compliance regiments just like any other assets with the exception of it not serving any business purpose.”
Tran from Binghamton University said that the effectiveness of deploying honeypots, honeynets, or other terms like canaries depends on the complexity of the situation, how close to reality the fake objects or targets are, and how well-trained cybercriminals are.
“Microsoft said only 5% of targeted phishing sites actually fall into their traps, which is around 250 sites daily,” Tran said.
“Due to low success rates, this approach must be combined with others for better performance.”
Organizations must carefully review all related cyber laws, regulations, and local policies to avoid unwanted legal issues later. But the considerations do not end there. Tran explained that cybercriminals are human beings, too, and they have human rights and privacy rights.
“Dealing with their privacy rights along with other human rights is concerning, especially when they have not officially been announced as criminals after the long process of formal digital forensics and accusations.”
The Bottom Line
Honeytraps and other deceptive technologies, most of which are not new, are once again gaining momentum. While some advocate for every company and organization to leverage these low-cost defense tools, other experts explain that they only work if deployed correctly.
Security technologies have advanced and new protective defense security tactics have emerged.
Still, the technical, legal, and ethical challenges of honeypots remain the same. Deceptive security has never been mainstream. It continues to operate in the shadows and in the hands of the few.
