Task: Where to Place a Honeypot

Scenario

As the CISO in a company, you were asked to design and implement honeypots without considering the budget.

Below is the architecture of the company. Your job is to place honeypots where you think they should be, in accordance with the necessary quantity and network structure. After you place them, explain why you put them where you did.

Results

A rule of thumb for honeypots is that there must be a certain volume of traps in the network, but potential attackers should not know where they are, or that they are inside one.

For many organizations, the formula for honeypot volume is ⅓ of the number of devices in each segment. It is important to understand that this volume is not mandatory, and each organization can implement as many honeypots as they want.

For example, in the architecture above, there are 10 workstations in a segment. Since ⅓ of 10 is 3.33, we will add three more honeypots to that segment.

Companies with strict budgets will most likely not deploy that number of honeypots, since each license for the device will require a fee. Instead, they may use only one or two honeypots per VLAN (segment).

Another (flexible) rule is that it is highly recommended to create a honeypot on each network segment in the organization. We don’t always know the entry points of hackers or what a hacker will do next, so honeypots should be placed in each segment to increase the chance of catching the attacker.