Backup Sites, Honeypots & Honeynets | CompTIA Security+ SY0-601 | 2.1c

In this video you will learn about backup sites such as hot, cold & warm sites. You will also learn about deception & disruption practices such as honeypots, honeynets, fake telemetry, & DNS sinkholes.

Site Resiliency

Site resiliency is the ability of a server, network, storage system or an entire data center to recover quickly & continue operating even when there has been an equipment failure, power outage or other disruption.  Site resiliency is often achieved through the use of redundant components, systems, & facilities.  When one element fails or experiences a disruption, the redundant element takes over seamlessly and continues to provide computing services to the user base.[1]  Three components of data resiliency that you need to learn about for the CompTIA Security+ SY0-601 certification exam are the following:

  • Hot Site:  a duplicate of your primary IT functions, with hardware, apps, and data ready to run in minutes or less in the event of a disaster.  This is the most expensive of the three disaster recovery plans, but for an organization that can afford no downtime, it might be the only one that is worth considering.
  • Cold Site:  has power, HVAC, and network connections, but would need equipment and data before it could be used for IT functions.  This is the least expensive to maintain before a disaster but takes the longest time to set up during a disaster.
  • Warm Site:  has power, HVAC, network, and hardware suitable for IT functions is a warm site.  Systems at the warm site might need to have operating systems, apps, and data restored, or operating systems and apps could be already installed to save time.  A warm site costs more than a cold site, and would require ongoing maintenance of hardware and possibly software, but can be made ready in hours, rather than days, compared to a cold site.

Deception & Disruption

Honeypot/Honeynet

Honeypots are a type of deception technology that allows network & system administrators to understand attacker behavior patterns.  Security teams can use honeypots to investigate cybersecurity breaches to collect intel on how cybercriminals operate.  They also reduce the risk of false positives, when compared to traditional cybersecurity measures, because they are unlikely to attract legitimate activity.  A honeynet is a decoy network that contains one or more honeypots.  It looks like a real network and contains multiple systems but is hosted on one or only a few servers, each representing one environment.  For example, a Windows honeypot machine, a Mac honeypot machine and a Linux honeypot machine.  A “honeywall” monitors the traffic going in and out of the network and directs it to the honeypot instances.  There, vulnerabilities can be injected into the honeynet to make it easy for an attacker to access the trap.[2]

Fake Telemetry

Telemetry is a term for technologies that accommodate collecting information in the form of measurements or statistical data, and forward it to IT systems in a remote location.  This term can be used in reference to many different types of systems, such as wireless systems using radio, ultrasonic or infrared technologies, or some types of systems operating over telephone or computer networks.[3]  Some organizations deploy fake telemetry as decoys and breadcrumbs in order to lure & trick attackers.  Similarly, attackers have compromised systems that also generate fake telemetry and reporting data to fool security monitoring systems, analysts in a security operations center (SOC), & evade other security controls that may be in place.[4]

DNS Sinkhole

A DNS sinkhole is simply a DNS server that gives users false domain names.  It is also known as a “sinkhole server”, an “Internet sinkhole”, or a “blackhole DNS”.  Legit DNS servers are set up to point users to the correct IP address every time they type a specific domain name into their browsers in hopes of visiting a particular website.  DNS sinkholes disrupt the intended flow of Internet traffic from a domain name to its correct IP address.  As a result, anyone who accesses one gets sent to a different IP address.  DNS sinkholes can be both good and bad.  Cyber attackers can use them to point users to their specially crafted malicious sites via DNS-based attacks like DNS hijacking.  But law enforcement agents and cybersecurity experts also use DNS sinkholes to point the would-be victims of cyber attacks to web properties that are safe to access instead.[5]

References

  1. Bigelow, S. Data Center Resiliency. TechTarget.
  2. Honeypot. Imperva.
  3. Telemetry: What Does Telemetry Mean? Techopedia.
  4. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  5. What is a DNS Sinkhole?  Techslang.