Dossier assignment

profileladybb
dossierarticle2.pdf

Risk Management and Insurance Review

C© Risk Management and Insurance Review, 2018, Vol. 21, No. 3, 435-452 DOI: 10.1111/rmir.12109

FEATURE ARTICLE

INTEGRATING A PROACTIVE TECHNIQUE INTO A HOLISTIC CYBER RISK MANAGEMENT APPROACH Angelica Marotta Michael McShane

ABSTRACT Cyber threats are an emerging risk posing a range of challenges to organizations of all sizes. Corporate risk managers need to understand that cyber risk man- agement must not be a silo in the IT department. Cyber threats are the result of intelligent adaptive agents that cannot be managed by traditional risk man- agement techniques only. The article describes the honeypot concept, which is a proactive measure for identifying and gathering information about attackers in order to develop suitable and effective countermeasures. In addition, this article proposes the integration of the honeypot concept into a cyber risk man- agement approach based on the five preparedness mission areas of the Federal Emergency Management Agency (FEMA).

INTRODUCTION Cyber risk has been a topic for years in IT and computer science journals, but only a few cyber risk articles have appeared in risk management and insurance journals. Hovav and D’Arcy (2003) and Gatzlaff and McCullough (2010) have researched cyber attacks from a financial economics perspective to investigate the effect of cyber attacks on an organization’s stock price. Biener et al. (2015) and Eling and Schnell (2016) provide an overview of the evolving cyber insurance market and the insurability of cyber risk, while Eling and Loperfido (2017) investigate and model data breaches from an actuarial perspective. These articles investigate cyber-related issues, but not the cyber risk man- agement process itself. Organizations can no longer afford to let cybersecurity dwell in a technical silo. Cyber threats are different from the risks faced by corporate risk man- agers. Unlike typical corporate risks, cyber threats result from intelligent actors who can adapt and change tactics as defenses are implemented, thus rendering past data quickly obsolete as a predictor of future attacks. In addition, cyber risks are plagued by information asymmetry, correlated loss, and interdependent security issues (Biener et al., 2015; Marotta et al., 2017; McShane et al., 2018; Shetty et al., 2018) that hamper traditional risk management and insurance practices from being effective.

Angelica Marotta works at IIT-Italian National Research Council, Pisa, Italy, and is Research Affiliate, MIT Sloan School of Management, Cambridge, MA; e-mail: [email protected]. Michael McShane is Associate Professor of Risk Management and Insurance, Old Dominion University, Norfolk, VA; e-mail: [email protected].

435

436 RISK MANAGEMENT AND INSURANCE REVIEW

Like traditional terrorists, cyber criminals have an asymmetric information advantage and only need to be right once, while defenders need to be correct every time. Cyber threats are systemic and require much less effort than required for physical terrorism. A single cyber criminal can attack multiple organizations simultaneously. In addition, cyber risks are interdependent (Hofmann, 2007; Hofmann and Ramaj, 2011; Ogut et al., 2005) meaning that the security of an organization depends not only on an organization’s actions, but on the actions/inactions of other entities, such as contractors and suppliers. Risk managers need to understand the emerging cyber risk threat and work together with IT specialists to manage cyber risks in a holistic manner.

Organizations face a growing list of cyber threats, such as data and intellectual property theft, ransomware, and distributed denial-of-service (DDOS) attacks that shut down websites. Cyber crime costs the global economy approximately $445 billion a year with the world’s largest economies accounting for around half of this, and is expected to increase in the coming years (Allianz, 2015). Rapid growth in cyber threats has been accompanied by a worrying change in attackers’ purposes and techniques that can render cybersecurity measures ineffective.

Progress enabled by the Internet opens new and easy ways of gathering information. Even a relatively inexperienced attacker can perpetrate potentially devastating attacks with large-scale consequences for organizations. An Institute for Critical Infrastructure Technology (ICIT) report argues that even a “script kiddie”1 could cause serious damage to the system of a major healthcare provider, using only phishing attacks and exploit kits available on the Internet (ICIT, 2016). Generally, these attacks occur because organi- zations have common vulnerabilities (Böhme, 2005; Shetty et al., 2018), which are unin- tended flaws or design errors that enable an attacker to access multiple organizations.

The purpose of this article is to make risk management researchers and practitioners aware of emerging cyber concerns; introduce the honeypot concept, which is a proactive tool for identifying and managing cyber risks by better understanding cyber intrud- ers; and propose the integration of this tool into a FEMA-based preparedness model. Depending on the goals of implementation, honeypot technology can range from simple low-interaction software emulation of services and applications to high-interaction hon- eypots that can include an actual operating system and other real resources. In the most recent definition, honeypots are decoy systems implemented to attract cyber attackers with the purpose of learning to overcome the attacker’s information advantage and also to distract the intruders and to protect the real system.

This article is structured as follows. The next section “Honeypot Basics and Relevant Research” provides a basic understanding of honeypots and highlights rel- evant research. The subsequent section “Cyber Risk Management Problem Statement” discusses a major issue facing cybersecurity followed by a proposed honeypot solution to this problem. Then the integration of this solution into a cyber risk management model based on the FEMA emergency management approach is outlined followed by the section “Implementation of Production Honeypots Into the Network” describing the implementation of a production honeypot in a corporate network. The final section “Conclusion” concludes and suggests future research on cyber risk management.

1 An inexperienced individual who performs cyber attacks by using tools developed by experts.

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 437

HONEYPOT BASICS AND RELEVANT RESEARCH The widely accepted definition of honeypot is provided by Spitzner (2002a): “a resource whose value is being in attacked or compromised.” This definition captures the two main guiding principles on which every honeypot system is based. First, a honeypot is a resource, meaning that it may consist of any mechanism, either hardware or soft- ware, that is necessary to emulate the original system, but is separate from the original system. For example, this can include workstations, hosts, routers, databases, printers, programs, or even a simple e-mail. Second, regardless of how a honeypot is imple- mented and its ultimate security purposes, the primary goal is that the honeypot needs to be discovered, attacked, and possibly compromised. A honeypot’s primary value is directly proportional to its ability to attract malicious activities, which is much different from the goal of other cybersecurity tools and risk management techniques in general. Therefore, a honeypot can be described as any system that is explicitly implemented to allow an attacker to identify it as a potentially vulnerable system and to attack the honeypot in various ways.

The widespread presence of security threats has been one of the most studied topics in the cyber security field. Initially, the majority of cybersecurity papers focused on viruses, which were the main cause of computer security issues. As viruses evolved over the years, resulting in sophisticated attacks designed to directly hit predetermined targets and cause severe damage, most studies shifted to more complex approaches. The development of a vast hidden market of malicious code and cyber vulnerabilities has led several scholars to concentrate their efforts on alternative cybersecurity techniques, such as intrusion detection and prevention systems and recently, honeypots.

Honeypots are not a new concept. In the late 1980s, several scholars began to examine the possibility of using honeypots as a security mechanism. One of the first studies related to the honeypot concept dates to Clifford Stoll’s book entitled The Cuckoo’s Egg (Stoll, 1989). The author shows how to create an improvised honeypot system to monitor an intruder’s behavior. However, the honeypot described cannot be considered a real honeypot as the author used resources that also allowed legitimate users to carry out their tasks. The current honeypot concept uses a decoy system, not intended for legitimate users, to specifically attract and fool intruders. Nevertheless, this book is particularly important as it anticipates two concepts that now characterize honeypot technology. First is the concept of proactive protection. Defense to protect computer systems can no longer just be passive when facing potential intruders, but needs to be proactive in dealing with the causes of intrusions. The second concept includes the importance of the acquisition of information. The study of the intruder’s behavior and actions is certainly an additional resource against future attacks. Other early work on the honeypot concept is a technical article written by a security expert at AT&T Bell Labs (Cheswick, 1992). This article is the first description of a true honeypot, although the author never uses the term “honeypot.” The article describes how a system can be used and configured to encourage intrusion. The documented technique does not involve systems normally accessed by legitimate users, but rather tools dedicated to attract and understand hackers.

Even though these two studies effectively represent and explain the potential of hon- eypots, a few years passed before honeypot research studies were published. A likely reason for this delay was the lack of a widely accepted honeypot definition, resulting in divergent views and confusion among scholars. Lance Spitzner, a founder of a research

438 RISK MANAGEMENT AND INSURANCE REVIEW

group called “Project Honeynet,” proposed a now widely used “honeypot” definition that was provided at the beginning of this section (Spitzner, 2002a). This nonprofit group engaged in the research and investigation of cyber attacks and was one of the first to elaborate on the modern honeypot concept as a deception system for acquiring intruder information (Spitzner, 2003). Recent years have witnessed significant progress and research initiatives in the honeypot field and the implementation of new and more powerful honeypot systems. The majority of recent work on honeypots includes the description of honeypots, their categories, their advantages and disadvantages, their level of interaction and usage, and their applications. Honeypots can be categorized by purpose and level of interaction (Mokube and Adams, 2007; Sadasivam et al., 2005) as follows.

Purpose Honeypot purpose can be categorized as production or research. Production honeypots are typically best suited for implementation within an enterprise to mitigate risks posed by cyber intruders to that specific enterprise. The purpose is to understand specific systems hackers are probing and exploits being used. Research honeypots are designed to gain information about blackhat hackers in general and are not set up within a specific organization. Typical goals of a research honeypot are, for example, to learn who the hackers are, how they communicate, and the tools being developed. Research honeypots can capture large amounts of data on blackhat hackers but are complex and require time and effort to deploy and maintain. Production honeypots are typically simpler to build, deploy, and maintain than research honeypots.

Level of Interaction Low-interaction honeypots emulate resources, such as services and applications, whereas high-interaction honeypots are real resources. Low-interaction honeypots are easier to deploy and maintain, but also easier for attackers to detect, resulting in a low collection of information about the attacker. This type of honeypot also poses less risk of the actual system being compromised and can provide useful information, such as related to spammers. High-interaction honeypots are complex, require substantial re- sources, use a real operating system, and can collect large amounts of data that can be analyzed to overcome the hacker information advantage and potentially thwart new types of attacks. A high-interaction honeypot poses more risk and requires constant monitoring to prevent intruders from using the honeypot to gain entry into the actual system.

Beyond specific honeypot categorization, other studies emphasize the following security issues, some of which overlap.

Digital Forensics Some authors describe honeypots as an essential tool for the forensic practice. For example, Kebande et al. (2016) propose a honeypot model aimed at reducing the effort required to conduct Digital Forensic Investigations (DFIs) by collecting potential digital evidence and making it available to digital forensic investigators. The authors offer an interesting use of honeypots as a strategy to learn about and analyze intruder behavior and operational capability.

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 439

Deception, Detection, and Mitigation Research has investigated the deception aspect of honeypots as well (Dacier et al., 2004; Kuwatly et al., 2004). Valli (2007) argues that honeypot deception is “based largely on a premise of masking the real”; that is, an attacker is intentionally misled about network structure or weak points. He provides a comprehensive overview of honeypots as de- ception tools, explores the potential of internal honeypots, and discusses the potential superiority of using honeypots to thwart malicious insiders relative to other security technologies, such as firewalls, intrusion detection systems (IDSs), and intrusion pre- vention systems (IPSs). Deception tools, such as honeypots, also improve the detection and mitigation of security threats. Khattab et al. (2006) and Moore (2016) examine how honeypot principles could be utilized to detect and mitigate attacks, such as spoofing,2

DDOS, and ransomware attacks. Paradise et al. (2017) investigate the application of hon- eypots to the reconnaissance phase of advanced persistent threats (APTs) as a way to collect basic indications of potential forthcoming attacks. A common theme to these ar- ticles is that honeypots can add an additional layer of security for networks and provide security capabilities not possible by other measures.

Simulation Honeypots can simulate a variety of information systems and environments. Litchfield et al. (2016) argue that the value of honeypots is directly proportional to their ability to fool attackers into believing they are authentic machines. The authors illustrate the potential of real-time simulation, while protecting the authenticity of the original system.

Defense Another common feature of honeypots is their ability to act as defense mechanisms. Weiler (2002) and Douligeris and Mitrokotsa (2004) investigate the defense of vulnerable systems using honeypots to analyze attackers and defenders in a given cyber environ- ment. These authors collect real-world intelligence on attacks and profile all network activities to counter malicious attacks or threats. In the honeypot context, defense strate- gies generally include methods, such as reducing the appeal of the environment to the potential intruders, acquiring a better understanding of the critical vulnerabilities, and enhancing reaction and response capabilities. Wang et al. (2017) investigate honeypots as defense systems to detect and gather attack information. In particular, they focus on the interactions between the attackers and the defenders and derive optimal strategies for both sides to achieve an optimal defense strategy. Other authors (Gutierrez and Kiekintveld, 2017; Pawar et al., 2014) focus on the use of honeypot decoy features to implement cyber defense systems with the purpose of developing models and methods to acquire information about the blackhat community, understanding their strategies, and improving security systems accordingly.

Network Security and Protection As networks increase in speed and process more information, the necessity to adopt powerful tools to keep up with these changes is essential. Mairh et al. (2011) identify

2 Spoofing is a type of cyber attack that includes the identity falsification of another entity (a person or a program) with the aim of performing malicious activities.

440 RISK MANAGEMENT AND INSURANCE REVIEW

honeypots as an efficient tool to monitor and protect network traffic since honeypots require minimal resources and perform efficiently on large networks. Unlike some other security issues mentioned in this section, this approach does not include the use of a honeypot as a dynamic tool within a cyber environment. The honeypot’s purpose is limited to providing a secure environment necessary to ensure operational continuity of critical services. For example, Bailey et al. (2004) implement a honeypot system with high threat monitoring capabilities aimed at protecting against existing and future threats.

CYBER RISK MANAGEMENT PROBLEM STATEMENT The experience built over the years has shown that complete security of a computer system is not achievable. Generally, ensuring absolute protection is not realistic, given the necessity to appropriately balance costs and benefits of security measures (Combs, 2013). Organizations need a strong commitment to fortify and enhance their systems. Although cybersecurity is a high-profile topic, the majority of organizations are still unprepared. Often organizations have weaknesses in their security systems and underestimate the consequences of exposure (Solomon and Chapple, 2005). A study conducted by the Ponemon Institute states that 75 percent of organizations in the United States are not prepared to respond to cyber attacks (Scibelli, 2015). The report surveyed more than 600 IT and security executives about their organizations’ approaches to build- ing resilience. More than half (55 percent) stated that their organization lacked sufficient risk awareness, analysis, and assessments in combating cyber attacks (Scibelli, 2015).

Such evidence implies that IT security experts generally do not follow comprehensive risk management approaches. Protective barriers, such as firewalls and antivirus soft- ware, are defensive measures against cyber attacks. However, while every organization today relies on a cybersecurity strategy of perimeter defense to protect their networks, security breaches are actually increasing in intensity, frequency, and complexity. Even with these defenses, malicious cyber actors maintain an information advantage over organizations trying to protect their systems. Additionally, these breaches are often not detected until well after the first intrusion. This trend indicates that this defensive strategy may be ineffective and requires continuous security monitoring (Collins, 2017).

One of the most common security weaknesses is the time delay for detecting the in- trusion and securing the system after the first intrusion. According to Moshiri (2015), a prudent course of action against intruders consists of working on minimizing the dam- age to an organization by detecting an intrusion in a timely fashion. Cyber criminals have figured out how to avoid detection by the common security tools utilized by or- ganizations. The vast majority of instruments and methodologies employed by security experts are defense oriented, which can be defeated by adaptive attackers. When the intrusion is finally detected, the organization implements targeted countermeasures on an ad hoc basis to mitigate the impact (Hoopes, 2009; Whitman and Mattord, 2007). An IBM/Ponemon (2017) study of 419 companies in 13 countries found that the mean time to become aware of a cyber breach is 191 days and it calculated that companies identifying breaches sooner had much lower total costs related to the breach.3

3 Specifically, the average cost for a data breach identified in less than 100 days was $3.23 million versus $4.38 million for 100 days or more in 2016.

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 441

This defensive approach does little to overcome the attacker’s information advantage, which can only be alleviated by proactively understanding the motivations and tactics of the intruders. This article proposes a measure that allows cyber risk managers to inves- tigate the methods of attackers, which allows the design of targeted solutions to prevent and reduce the impact of cyber attacks. In this regard, the usage of data collection and analysis related to the attacker may be essential to decision making. For example, such analysis may determine whether it is necessary to update the software of an existing cybersecurity system or to adopt a new one to stay ahead of cyber attackers trying to com- promise a system (Paté-Cornell et al., 2017). Thus, proactive data gathering and analysis of attackers can help achieve both short- and long-term cyber risk management goals.

SOLUTION: A PROACTIVE CYBER RISK MANAGEMENT TECHNIQUE A solution to alleviate the previously highlighted issues is to apply to the cybersecurity field one of the oldest and most commonly used war techniques: know your enemy (Tzu, 1971). To apply this technique, we consider a honeypot to be a proactive risk management tool that can be used to understand potential cyber criminals and apply the learning to both prevent cyber attacks and detect intrusions earlier, reducing the impact of intrusions that cannot be prevented.

In a typical scenario, cyber criminals penetrate the corporate system, make modifica- tions, compromise an important service within the network, and steal sensitive data. In many cases, the organization may not become aware of the intrusion for a sub- stantial period of time, compounding the impact on the organization. The longer the time lag, the more difficult it will be for cybersecurity specialists to understand how the attack was performed and apply this learning to prevent future attacks (Paradise et al., 2017). If a honeypot had been employed, a more desirable outcome would oc- cur. The hackers would be maneuvering in a decoy world created by cybersecurity professionals to observe and learn from their malicious activities in a safe environ- ment, such as what ports they tried to open, what data they tried to acquire, and areas they tried to access (Gutierrez and Kiekintveld, 2017). A honeypot allows cybersecu- rity specialists to collect this information and use it to develop effective mitigation strategies.

Honeypot technologies are still not widely deployed, so little evidence is available to understand their effectiveness. A survey conducted by SANS found that companies with honeypot experience rated their effectiveness an average of 7.35 out of 10 (Dominguez, 2017). Additionally, when asked how many times honeypots were triggered in the past 12 months, 38 percent of the respondents said have their honeypots were triggered 15 or more times (Dominguez, 2017). Honeypot usage appears to be growing and the trend is expected to continue. According to a forecast from Markets and Markets (2017), the deception technology market size is estimated to grow to $2.09 billion by 2021. Honey- pots are thought to be a worthy candidate to address the current cybersecurity needs due to their powerful capacity for discovery and ability to adapt to any environment. However, academic research on honeypot effectiveness is still in its early stages.

INTEGRATION OF HONEYPOTS INTO A CYBER RISK MANAGEMENT APPROACH This manuscript proposes the integration of the honeypot technique into the FEMA preparedness approach. This approach provides well-established perspectives and a

442 RISK MANAGEMENT AND INSURANCE REVIEW

holistic philosophy that promotes collaboration and shared understanding beyond the IT department and has been successfully employed in emergency management and disaster recovery efforts. The approach is focused on achieving a common, integrated perspective across all mission areas—Prevention, Protection, Mitigation, Response, and Recovery.

Just like the NIST Cybersecurity Framework, the FEMA approach is aimed at re- ducing disaster losses and enhancing security. Both models share common goals and components, but their structure is different, which explains our preference for the FEMA approach over the NIST framework for this study. Specifically, the NIST Framework covers the following critical framework functions: Identify, Protect, Detect, Respond, and Recover (NIST, 2018). Because honeypots already include Iden- tify and Detect as main features, the application of honeypot technologies to the NIST Framework would result in redundancies. The FEMA preparedness model provides a suitable structure that facilitates mitigation and prevention. This approach is built on scalable, flexible concepts that move cyber risk management beyond a detection- only mindset toward resilience goals of adapting and recovering quickly after attacks occur.

The honeypot technique proposed in this work differs from other methods as it focuses on understanding the functioning and the potential of cyber attacks in the context of cyber risk management. Like in some martial arts, this method turns the attackers’ offensive nature into a cybersecurity strength. We propose integrating this concept into the five preparedness mission areas defined by the FEMA (2016): Prevention, Protection, Mitigation, Response, and Recovery (Bullock et al., 2017). In particular, this approach represents a comprehensive strategy that connects Pre- vention with Recovery through a series of phases aimed at developing an effective risk management scheme. The implementation of this solution is represented by Figure 1, which is a Unified Modeling Language (UML)–type activity diagram to formulate a dynamic analysis of a honeypot system model applied to the mission areas.

The “activity diagram” models the process flow including the honeypot from the first attempt at cyber intrusion to the positive resolution of an intrusion event. Input data to establish the environmental context is necessary to start the procedure. The aim of this model is not only providing security for an IT system, but also learning from the behaviors of the attackers. For example, information about their activities may reveal who is interested in accessing the system (e.g., employees or former employees), what they rely on (e.g., an external server), their techniques, the degree of effort to hide themselves, and their motivation, for example, whether their goal is mainly monetary or just to sabotage the organization. In particular, the diagram focuses on the interactions between the honeypot system and the five mission areas, each playing a key role within the framework.

Prevention (Early Warning) This area focuses on securing the cyber environment and its infrastructure from unau- thorized or malicious access, use, or exploitation (Department of Homeland Security, 2014). In this phase, the honeypot acts as an early warning platform to help identify ma- licious activity and stop it before it spreads further across the real system. For example,

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 443

FIGURE 1 Honeypot Applied to the Five FEMA Preparedness Mission Areas

if the organization’s cyber risk management team can detect an intruder on an internal network scanning for open files, then it is possible to protect the system proactively before the intruder finds important files (Spitzner, 2002b).

Protection (Isolation) The honeypot technique enables security experts to determine whether a system or resource is likely to be compromised since the honeypot reproduces the real system. Since the real IT infrastructure runs in isolation, the system is less vulnerable. In this phase, a honeypot may be seen as a protection mechanism to safeguard the real resources.

Mitigation The information collected in the Prevention phase can be used to further identify, an- alyze, and prioritize threats for mitigation. In fact, the rapid and timely detection of threats can be of great help in the development of mitigation strategies. Earlier detection reduces overall costs of the intrusion. FEMA requires that the mitigation strategy of a risk management plan responds to the particular risks facing the community (or the net- work as is the case for cyber risk management) and includes a mix of potential mitigation actions that not only identify and analyze current threats, but consider future threats as well, such as the risk due to future attacks or additional development in general risk areas. Mitigation capabilities need to help prioritize actions based on resources. As risk mitigation evolves into a more proactive practice, which is made possible by honey- pots, it is moving away from a focus on static measures or structures to nonstructural approaches that include planning and management.

444 RISK MANAGEMENT AND INSURANCE REVIEW

FIGURE 2 Positioning Production Honeypots in the Organization’s Network [Color figure can be viewed at wileyonlinelibrary.com]

Response Honeypots can also be effective as an incident–response tool since honeypots can be taken offline for analysis without affecting business operations (Meenakshi and Nalini Sri, 2013), which allows reports to be prepared rapidly. Honeypots can include threat– response tools that enable security administrators to monitor the activities of an intruder and activate shutdown mechanisms based on attacker activity and frequency-based policies (Harrison, 2003).

Recovery The creation of data related to the behaviors of attackers or the monitoring of malicious activities plays an essential role during the Recovery phase. This activity could be performed through the creation of an image of the honeypot hard disk or a backup copy of the files that contain the virtual machine housing the honeypot if the system provides virtualization capabilities. This factor can speed up the recovery and restoration process in case of an attack.

IMPLEMENTATION OF PRODUCTION HONEYPOTS INTO THE NETWORK To achieve successful results with the implementation of the honeypot solution, at- tention must be paid to the correct choice and positioning of production honeypots within the organization’s network. This particular aspect can undermine or improve the effectiveness of the honeypot implementation.

For example, production honeypots work properly if placed inside the security perimeter protected by a firewall as shown in Figure 2 (Production Honeypot 1). In this position,

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 445

the honeypot can act as an alarm sensor, for example, if an attack succeeds in bypassing the defensive barriers. A honeypot can also act as a deterrent to divert attacker attention from valuable resources. Placing the honeypot outside the security perimeter is not effective because many of the attacks would have been blocked by defense mechanisms. However, since production honeypots provide reaction mechanisms to divert attacks from outside, they can also be placed in a demilitarized zone (DMZ) where public services, such as FTP, WWW, and SMTP, are normally placed, as shown in Figure 2 (Production Honeypot 2).

A specific example of this technique using a production honeypot to develop empirical schemes is provided to illustrate a potential solution. For this experiment, after evalu- ating several honeypot options, we decided to use Cowrie, which is a medium interac- tion secure shell (SSH) honeypot4 implemented in Python and developed by Oosterhof (2016). Generally, this type of honeypot is used to learn attack techniques and add an additional security layer to the system. Its functioning is based on a trap represented by a fake file system and a shell that allows attackers to run and execute commands inside a simulated environment that provides realistic responses to the attackers (McCaughey, 2017; Oosterhof, 2016).

To test how a honeypot can be mapped to this approach, we installed Cowrie and configured it using Oosterhof’s code. In the beginning, we performed port scanning before and after the honeypot initialization phase. This operation was executed through Network Mapper (Nmap), which is a tool for network exploration and security auditing.5

This utility scans for open ports and then looks up the common port service in a local text file (Solomon and Chapple, 2005). In the subsequent attack phase, we observed an attacker guessing the password, accessing the honeypot, and running the commands to install backdoors on the server. This phase can greatly help cybersecurity experts build an early warning platform and secure the cyber environment from this type of activity (Prevention).

The possibility of identifying this specific attack can also enable security experts to determine which particular resource is likely to be compromised within the system (Protection). Among its functions, Cowrie also logs every action that an attacker per- forms from connect to disconnect (Barron and Nikiforakis, 2017). The logs in our hon- eypot experiment indicated that an attacker logged on and the commands executed by the attacker (McCaughey, 2017). This functionality enables cybersecurity experts to get a better understanding of the type of attacks the intruder attempted to perform within the honeypot environment, the attacker’s success or failure rate, and also the geographical location of the IP from which the attack started (McCaughey, 2017). This information can be used to identify and mitigate future cyber threats (Mitigation). Additionally, a hon- eypot like Cowrie can analyze a variety of malicious behaviors on the system without affecting other operations, allowing cybersecurity experts to develop incident response

4 A medium-interaction honeypot offers attackers more ability to run commands and execute operations than does a low-interaction honeypot, but has less functionality than does a high- interaction honeypot, which can deal with more possible attack modes.

5 Initially, no system ports were open, but after the start of the honeypot, we observed that port 2222 was open.

446 RISK MANAGEMENT AND INSURANCE REVIEW

strategies (Response). Finally, storing and analyzing captured data logs is particularly important as it aids recovery efforts related to this attack (Recovery).

Since the purpose of research honeypots is to gather large amounts of general informa- tion about attack strategies and techniques, they are typically placed outside the security perimeter. Research honeypots are not suitable for a corporate network as they are too exposed and should only be implemented for research purposes, not for cyber protec- tion of a specific organization. In practice, the use of a research honeypot is not feasible within a corporate environment. Research honeypots are difficult to deploy and typi- cally simulate the whole operating system. The complex and powerful nature of research honeypots is suitable for scrutinizing attacks and developing general countermeasures against threats (Lakhani, 2003; Nawrocki et al., 2016), not for protecting specific assets, which is the main goal in the corporate environment.

ADVANTAGES OF USING HONEYPOTS The proactive cyber defense solution proposed in this article can mitigate the informa- tion advantage of cyber attackers and advance cyber threat intelligence. Cyber risks cannot be managed using traditional risk management tools only. Honeypots can be adopted by a broad range of organizations from large to small and from simple to complex. The major benefits of honeypots are increased control during attacks, learn- ing from incident response results, protecting the actual system while learning about attackers’ techniques in a risk-free manner, reducing false positives during diagnostic testing, alerting administrators of any hostile actions before the real system gets attacked or damaged, allowing experts to perform studies and develop statistics on the types of malware employed by attackers, diversifying easily configurable environments through the usage of various technologies integrated with the honeypot, and analyzing and con- trolling malicious actions in real time, which allow earlier detection to reduce the overall cost of the intrusion. In a well-designed honeypot, intruders spend effort attacking the honeypot instead of the actual system. In addition, a honeypot can produce forensic evidence that is admissible in a court of law and can detect both insider and outsider attacks (Sumner, 2002).

Governments, agencies, computer emergency response teams (CERTs), and critical infrastructure companies might especially benefit from honeypot implementation (Grudziecki et al., 2012). According to Ashford (2015), these users represent the most vulnerable subjects as they are frequently targeted by cyber attacks aimed at compromis- ing equipment or destroying information. These categories of users can use this model to enhance cyber intrusion detection and incident handling procedures.

CHALLENGES AND RISKS OF USING HONEYPOTS As with any relatively new technology, there are a few challenging factors and recommendations linked to honeypots (Spitzner, 2004). One aspect related to the implementation of honeypots is making a comparison of the different honeypot types within an organization’s IT infrastructure; it is important to consider various aspects such as installation, fingerprinting, data value, maintenance, and risks. Therefore, before starting the deployment of the honeypot product, it is necessary to establish the budget—the user may decide to create a high-interaction honeypot with physical ma- chines or a low-interaction honeypot using existing resources and a virtualized system.

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 447

The cyber risk management team must be aware that the deployment of honeypots requires appropriate attention—the creation of a virtual “defenseless" system may enable attackers to use it as a “bridge” to conduct more attacks or to access the corporate network.

If honeypots are not well protected, an attacker could use them to attack other systems. A sophisticated attacker that figures out the existence of the honeypot could turn the honeypot into a weapon to attack other systems. This weakness could also have legal consequences due to liability issues. At times, liability for harm to a third party, whether caused by the honeypot owner or the attacker, can be hard to determine. Harrington (2014) highlights a number of legal and liability issues arising from the use of honey- pots. The author explores several risky scenarios, including a compromised honeypot, the unintended consequences involving the company that deployed a honeypot, an im- properly configured honeypot, and other legal situations that could lead to substantial damages to brand image and reputation, and possibly court sanctions. Sokol et al. (2017) investigate a number of technical and legal issues related to honeypots with a particu- lar focus on the protection of privacy and personal data under current and upcoming European Union legal frameworks. Scottberg et al. (2002) discuss the fine line that can exist between a honeypot used as protection versus honeypot used for entrapment.

CONCLUSION Originally, honeypots were created in response to specific security issues, but have evolved to become a general cybersecurity technology. Honeypots have been applied in a variety of applications to address a wide range of vulnerabilities, but with many potential avenues unexplored. For example, the literature review in this article reveals no attempts to apply honeypots within an overall cyber risk management process. This manuscript proposes integrating the honeypot technology as a multilayer risk management solution with a proactive focus on threats. Generally, honeypots are used for intrusion detection, simulation, mitigation, defense, or pure research, but broader use as part of risk management strategy can be an effective method for enterprises to deal with the dynamic nature of cyber risk. Every attack involves an exploratory phase by the intruder, which provides cybersecurity experts the opportunity to use honeypots as a learning tool to obtain more precise information, identify and respond to attacks more quickly, and implement a comprehensive approach.

Cyber risks are an emerging threat that cannot be handled by traditional risk manage- ment methods. Such risks are typically managed by siloed IT departments instead of by a cross-functional risk management approach. This manuscript argues that a honeypot technique integrated into the five FEMA preparedness areas can be effective in reduc- ing the information advantage of adaptive cyber criminals. The proposed approach can greatly assist in cyber disaster preparedness and mitigation of cyber risks. Generally, the best defenses against cyber incidents are an effective set of plans and best practices. If properly installed, configured, and maintained, honeypots can add value by proactively learning about attackers, allowing an early response, and maintaining high security levels of a networked system beyond defenses typically used.

Risk managers need to understand cyber risks and bring cybersecurity under the holis- tic enterprise risk management (ERM) umbrella (McShane, 2018). Collaboration across disciplines is essential for future cyber risk research. A potential research area involving

448 RISK MANAGEMENT AND INSURANCE REVIEW

cross-disciplinary collaboration is to investigate the relation between general risk man- agement frameworks/standards, such as ISO 31000, and the more specialist IT/cyber risk frameworks/models such as ISO 27000, NIST, RiskIT, COBIT, and (ISC).2 Another potential research collaboration across disciplines is the effect on cyber insurance pre- miums if an organization implements proactive cyber defense measures. A study of the effect of evolving cyber regulation around the globe on risk management is another important area that researchers should consider.

A honeypot can be a very useful tool with multiple practical applications in the cyber risk management field. The solution proposed in this work is a good starting point for future research that employs higher interaction honeypots that are more similar to the actual system. These types of honeypots can be used to better understand in- truder motives and actions but are riskier to the organization. Research that improves and optimizes this risk/return trade-off would be beneficial. A correct correspondence between the honeypot’s components and the actual system and implementation into a risk management approach can produce several advantages, such as more effective workload distribution and lower costs resulting from a reduction in the usage of those resources that are usually employed in attack detection, defense, and counterattack processes.

Another potential research topic is the implementation of both research and production honeypots into corporate networks. Currently, research honeypots are not designed for use for corporate cyber risk management. A hybrid solution that combines the advan- tages of both research and production honeypots could be theoretically possible, but is practically difficult and a challenge that could be tackled in future research. Research honeypots have been used by academics, resulting in journal articles, but research on actual corporate honeypots is limited, most likely for corporate confidentiality reasons. An academic survey and discussion of corporate production honeypot usage would provide useful information. A cost/benefit analysis of using honeypots to improve corporate risk assessment is another much needed research avenue.

Honeypots have a high potential for advancing cybersecurity (Zakaria and Kiah, 2012). By taking advantage of their “attractive” nature, it would be interesting to make them more intelligent and self-manageable through the integration of an artificial intelligence (AI) mechanism. For example, intelligent honeypots may include devices that are able to react autonomously to cyber attacks with repressive or defensive actions (Zakaria and Kiah, 2012). Finally, honeypots represent an interesting research field since they are still largely unexplored. Today, even though many countries continue to focus on providing physical security protections, many governments have recently started to consider the core cyber infrastructure from a comprehensive point of view.

REFERENCES Allianz, 2015, Allianz Risk Barometer 2016—Top Risks in Focus: Cyber Incidents. Re-

trieved from http://www.agcs.allianz.com/insights/expert-risk-articles/top-risks- in-focus-cyber-incidents/

Ashford, W., 2015, Critical Infrastructure Commonly Hit by Destructive Cyber Attacks, Survey Reveals, ComputerWeekly.com. Retrieved from http://www.computerweekly. com/news/4500243886/Critical-infrastructure-commonly-hit-by-destructive-cyber- attacks-survey-reveals

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 449

Barron, T., and N. Nikiforakis, 2017, Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior, in: Proceedings of the 33rd Annual Computer Secu- rity Applications Conference (ACM), pp. 387-398.

Bailey, M., E. Cooke, D. Watson, F. Jahanian, and N. Provos, 2004, A Hybrid Honey- pot Architecture for Scalable Network Monitoring, Technical Report CSE-TR-499-04, University of Michigan, Ann Arbor.

Biener, C., M. Eling, and J. H. Wirfs, 2015, Insurability of Cyber Risk: An Empirical Analysis, Geneva Papers on Risk and Insurance Issues and Practice, 40(1): 131-158.

Böhme, R., 2005, Cyber-insurance Revisited, in: Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS 2005) (Cambridge, MA: Harvard University Press).

Bullock, J., G. Haddow, and D. P. Coppola, 2017, Homeland Security: The Essentials (Oxford, UK: Butterworth-Heinemann).

Cheswick, B., 1992, An Evening With Berferd in Which a Cracker Is Lured, En- dured, and Studied, in: Proceedings of Winter USENIX Conference, San Francisco, pp. 20-24.

Collins, R. M. L., 2017, Proactive Cybersecurity Through Active Cyber Defense, Doctoral Dissertation, Utica College. Retrieved from https://search.proquest.com/ openview/d62179a2e3960662b9fa17c9324b2b39/1?pq-origsite=gscholar&cbl= 18750&diss=y

Combs, C., 2013, Terrorism in the Twenty-first Century, 7th edition (Boston, MA: Pearson). Dacier, M., F. Pouget, and H. Debar, 2004, Honeypots: Practical Means to Validate

Malicious Fault Assumptions, in: Dependable Computing, Proceedings of the 10th IEEE Pacific Rim International Symposium, pp. 383-388.

Department of Homeland Security, 2014, National Protection Framework. Re- trieved from https://www.fema.gov/media-library-data/1406717583765-996837bf7 88e20e977eb5079f4174240/FINAL_National_Protection_Framework_20140729.pdf

Dominguez, A., 2017, Understanding the Use of Honey Technologies Today, SANS Insti- tute. Retrieved from https://www.sans.org/reading-room/whitepapers/detection/ state-honeypots-understanding-honey-technologies-today-38165

Douligeris, C., and A. Mitrokotsa, 2004, DDoS Attacks and Defense Mechanisms: Clas- sification and State-of-the-art, Computer Networks, 44(5): 643-666.

Eling, M., and N. Loperfido, 2017, Data Breaches: Goodness of Fit, Pricing, and Risk Measurement, Insurance: Mathematics and Economics, 75: 126-136.

Eling, M., and W. Schnell, 2016, What Do We Know About Cyber Risk and Cyber Risk Insurance? Journal of Risk Finance, 17(5): 474-491.

FEMA, 2016, Mission Areas. Retrieved from https://www.fema.gov/mission-areas. Gatzlaff, K. M., and K. A. McCullough, 2010, The Effect of Data Breaches on Shareholder

Wealth, Risk Management and Insurance Review, 13(1): 61-83. Grudziecki, T., P. Jacewicz, L. Juszczyk, P. Kijewski, and P. Pawliński, 2012, Proactive

Detection of Security Incidents, ENISA Report. Retrieved from https://www.enisa. europa.eu/activities/cert/support/proactive-detection/proactive-detection-of- security-incidents-II-honeypots

450 RISK MANAGEMENT AND INSURANCE REVIEW

Gutierrez, M., and C. Kiekintveld, 2017, Adapting With Honeypot Configurations to Detect Evolving Exploits, in: Proceedings of the 16th Conference on Autonomous Agents and MultiAgent Systems (International Foundation for Autonomous Agents and Multiagent Systems), pp. 1565-1567.

Harrington, S. L., 2014, Cyber Security Active Defense: Playing With Fire or Sound Risk Management? Richmond Journal of Law and Technology, 20(4): 1-41.

Harrison, J., 2003, Honeypots: The Sweet Spot in Network Security, Computerworld.com. Retrieved from http://www.computerworld.com/article/2573345/security0/ honeypots-the-sweet-spot-in-network-security.html

Hofmann, A., 2007, Internalizing Externalities of Loss Prevention Through Insurance Monopoly: An Analysis of Interdependent Risks, Geneva Risk and Insurance Review, 32(1): 91-111.

Hofmann, A., and H. Ramaj, 2011, Interdependent Risk Networks: The Threat of Cyber Attack, International Journal of Management and Decision Making, 11(5-6): 312-323.

Hoopes, J., 2009, Virtualization for Security (Burlington, MA: Syngress Pub.). Hovav, A., and J. D’Arcy, 2003, The Impact of Denial-of-Service Attack Announcements

on the Market Value of Firms, Risk Management and Insurance Review, 6(2): 97-121. IBM/Ponemon, 2017, Cost of Data Breach Study Global Overview. Retrieved from

https://www.ibm.com/security/data-breach/ Institute for Critical Infrastructure Technology, 2016, Hacking Healthcare IT in 2016,

Icitech.org. Retrieved from http://icitech.org/wp-content/uploads/2016/01/ICIT- Brief-Hacking-Healthcare-IT-in-2016.pdf

Kebande, V. R., N. M. Karie, and H. S. Venter, 2016, A Generic Digital Forensic Readiness Model for BYOD using Honeypot Technology, in: IST-Africa Week Conference (IEEE), pp. 1-12.

Khattab, S., R. Melhem, D. Mossé, and T. Znati, 2006, Honeypot Back-Propagation for Mitigating Spoofing Distributed Denial-of-Service Attacks, Journal of Parallel and Dis- tributed Computing, 66(9): 1152-1164.

Kuwatly, I., M. Sraj, Z. Al-Masri, and H. Artail, 2004, A Dynamic Honeypot Design for Intrusion Detection, in: Proceedings of IEEE/ACS International Conference on Pervasive Services, pp. 95-104.

Lakhani, A. D., 2003, Deception Techniques Using Honeypots (UK: University of London). Retrieved from http://www.isg.rhul.ac.uk/˜pnai166/thesis.pdf

Litchfield, S., D. Formby, J. Rogers, S. Meliopoulos, and R. Beyah, 2016, Rethinking the Honeypot for Cyber-Physical Systems, IEEE Internet Computing, 20(5): 9-17.

Mairh, A., D. Barik, K. Verma, and D. Jena, 2011, Honeypot in Network Security: A Survey, in: Proceedings of the 2011 International Conference on Communication, Computing & Security (ACM), pp. 600-605.

Markets and Markets, 2017, Deception Technology Market Worth 2.09 Billion USD by 2021. Retrieved from https://www.marketsandmarkets.com/PressReleases/ deception-technology.asp

Marotta, A., F. Martinelli, S. Nanni, A. Orlando, and A. Yautsiukhin, 2017, Cyber- insurance Survey, Computer Science Review, 24: 35-61.

A HOLISTIC CYBER RISK MANAGEMENT APPROACH 451

McCaughey, R. J., 2017, Deception Using an SSH Honeypot, Doctoral Dissertation, Naval Postgraduate School, Monterey, CA. Retrieved from https://calhoun.nps.edu/ bitstream/handle/10945/56156/17Sep_McCaughey_Ryan.pdf?sequence=1

McShane, M. K., 2018, Enterprise Risk Management: History and a Design-Science Pro- posal, Journal of Risk Finance, 19(2): 137-153.

McShane, M. K., T. Nguyen, and N. Xu, 2018, Time Varying Effects of Cyberattacks on Firm Value, Old Dominion University Working Paper.

Meenakshi, K., and M. Nalini Sri, 2013, Protection Method Against Unauthorised Issues in Network Honeypots, International Journal of Computer Trends and Technology, 4(4): 655-659.

Mokube, I., and M. Adams, 2007, Honeypots: Concepts, Approaches, Challenges, in: Proceedings of the 45th Annual Southeast Regional Conference (ACM), pp. 321-326.

Moore, C., 2016, Detecting Ransomware with Honeypot Techniques, in: Cybersecurity and Cyberforensics Conference (IEEE), pp. 77-81.

Moshiri, M., 2015, 3 Steps for Timely Cyber Intrusion Detection, Securitymagazine.com. Retrieved from http://www.securitymagazine.com/articles/86604-steps-for-timely- cyber-intrusion-detection

Nawrocki, M., M. Wählisch, T. C. Schmidt, C. Keil, and J. Schönfelder, 2016, A Survey on Honeypot Software and Data Analysis, arXiv preprint:1608.06249. Retrieved from https://arxiv.org/pdf/1608.06249.pdf

NIST, 2018, An Introduction to the Components of the Framework. Retrieved from https://www.nist.gov/cyberframework/online-learning/components-framework

Ogut, H., N. Menon, and S. Raghunathan, 2005, Cyber Insurance and IT Security Invest- ment: Impact of Interdependent Risk, in: Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS 2005) (Cambridge, MA: Harvard University Press).

Oosterhof, M., 2016, Cowrie SSH/Telnet Honeypot. Retrieved from https://github. com/micheloosterhof/cowrie

Paradise, A., A. Shabtai, R. Puzis, A. Elyashar, Y. Elovici, M. Roshandel, M., and C. Peylo, 2017, Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks, IEEE Transactions on Computational Social Systems, 4(3): 65-79.

Paté-Cornell, M. E., M. Kuypers, M. Smith, and P. Keller, 2017, Cyber Risk Manage- ment for Critical Infrastructure: A Risk Analysis Model and Three Case Studies, Risk Analysis, 38(2): 226–241.

Pawar, A., S. Bhise, K. Siddhabhati, and S. Tamhane, 2014, Web Application Honeypot. International Journal of Advanced Research in Computer Science and Management Studies, 2(3): 410-416.

Sadasivam, K., B. Samudrala, and T. A. Yang, 2005, Design of Network Security Projects Using Honeypots, Journal of Computing Sciences in Colleges, 20(4): 282-293.

Scibelli, G., 2015, New Ponemon Institute Study Reveals That Improving Cyber Re- silience Is Critical for Prevailing Against Rising Cyber Threats, Businesswire.com. Retrieved from http://www.businesswire.com/news/home/20150918005579/en/ Ponemon-Institute-Study-Reveals-Improving-Cyber-Resilience

452 RISK MANAGEMENT AND INSURANCE REVIEW

Scottberg, B., W. Yurcik, and D. Doss, 2002, Internet Honeypots: Protection or Entrap- ment? in: Proceedings of the IEEE International Symposium on Technology and Soci- ety (ISTAS), pp. 387-391.

Shetty, S., M. McShane, L. Zhang, J. P. Kesan, C. A. Kamhoua, K. Kwiat, and L.L. Njilla, 2018, Reducing Informational Disadvantages to Improve Cyber Risk Management, Geneva Papers on Risk and Insurance-Issues and Practice, 43(2): 224-238.

Sokol, P., J. Mı́šek, and M. Husák, 2017, Honeypots and Honeynets: Issues of Privacy, EURASIP Journal on Information Security, 4: 1-9.

Solomon, M., and M. Chapple, 2005, Information Security Illuminated (Sudbury, MA: Jones and Bartlett).

Spitzner, L., 2002a, Definitions and Values of Honeypots, EETimes. Retrieved from http://www.eetimes.com/document.asp?doc_id = 1255091

Spitzner, L., 2002b, Honeypots: Tracking Hackers (Boston, MA: Addison-Wesley). Spitzner, L., 2003, Honeypots: Simple, Cost-Effective Detection, Symantec.com. Re-

trieved from http://www.symantec.com/connect/articles/honeypots-simple-cost- effective-detection

Spitzner, L., 2004, Problems and Challenges With Honeypots, Symantec.com. Retrieved from http://www.symantec.com/connect/articles/problems-and-challenges- honeypots

Stoll, C., 1989, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage (New York: Doubleday).

Sumner, K., 2002, Honeypots Security on Offense. Retrieved from http://sumnerk. tripod.com/mywebsite/courses/secarch/honeypotpaper.pdf

Tzu, S., 1971, The Art of War, Translated and with an introduction by Samuel B. Griffith (London, UK: Oxford).

Valli, C., 2007, Honeypot Technologies and Their Applicability as a Strategic Inter- nal Countermeasure, International Journal of Information and Computer Security, 1(4): 430-436.

Wang, K., M. Du, S. Maharjan, and Y. Sun, 2017, Strategic Honeypot Game Model for Distributed Denial of Service Attacks in the Smart Grid, IEEE Transactions on Smart Grid, 8(5): 2474-2482.

Weiler, N., 2002, Honeypots for Distributed Denial-of-Service Attacks, in: Proceedings of the Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE’02), pp. 109-114.

Whitman, M., and H. Mattord, 2007, Principles of Incident Response and Disaster Recovery (Boston, MA: Thomson Course Technology).

Zakaria, W. Z. A., and M. L. Kiah, 2012, A Review on Artificial Intelligence Techniques for Developing Intelligent Honeypot, in: Proceedings of the 3rd International Conference on Next Generation Information Technology, pp. 696-701.

Copyright of Risk Management & Insurance Review is the property of Wiley-Blackwell and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.