With the support of honeynets and other security devices, attackers will always leave clues in the alarm log. Whether it is the source IP, or the attack payload, or even the identity information directly captured by the honeynet, these are the initial information that needs to be mastered by the traceability. Therefore, the first step is to retrieve the correlation information in the alarm log as much as possible to improve the success rate.

Honey network fortification is indispensable to the thinking and measurement of network security builders from the perspective of intrusion, and the traceability of perfect evidence also requires clear information expansion and cross-verification. There is no airtight honey net capable of trapping all threat traffic, and there is no foolproof, clear clues to trace the source of successive successful attacks. Offensive and defensive confrontation is the confrontation of cost, the confrontation of technology, the confrontation of people, with the evolution of attack technology, the construction and traceability of honey network will also face new challenges.

About the author

Cr3ek, currently an information security engineer at a financial institution, mainly works on penetration testing and construction of Party A’s security projects. The project manager of the company’s honey network is responsible for the project planning, implementation and operation and maintenance of the honey network. Technical exchange can be contacted: cr3ek1@163.com.