SPECIAL REPORT / European computer emergency response teams, which are being beefed up as part of the EU’s cybersecurity strategy, need to set more ‘honeypot’ traps to snare cyber attackers, according to reports.
Two internal memoranda drafted last month by the European Network and Information Security Agency (ENISA) said that the response teams, or CERTS, are not spreading their detection nets as widely as possible and are failing fully to share their information with one another.
In computer terminology, a honeypot is a trap set to detect or deflect attempts at unauthorised use of information systems.
Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
It therefore lulls in attackers and then records who they are and is able to monitor their activities.
The establishment of CERTs in every EU member state was one of the first responses to cybersecurity by the EU executive. More than 100 CERTs have now been set up around Europe, including those focusing on the private sector and the EU executive has established its own dedicated team.
These are now being beefed up as part of the Commission’s cybersecurity strategy and ENISA will encourage further CERTs to be set up, with additional efforts being made to create networks binding the public and private sector.
Two reports completed by ENISA last month highlighted shortcomings in CERTS operations and recommended new methods of operation.
In “Proactive Detection of Network Security Incidents”, ENISA identified 16 shortcomings in the process of detection of incidents including problems with data quality, slow delivery, lack of contextual information.
The report also claimed that data privacy rules might be hampering the activities of CERTS, saying: “The most important legal problem involves privacy regulations and data protection laws that often hinder the exchange of information – an obstacle faced by CERTS but unfortunately not by miscreants responsible for network attacks.”
Luring hackers with honeypots
A separate report, also published by ENISA in February looked at the CERTs use of 'honeypot' traps.
The report said that these traps offer “great insights into malicious activity in a CERT’s constituency, providing early warning of malware infections, new exploits, vulnerabilities and malware behaviour as well as an excellent opportunity to learn about changes in attacker tactics.”
To combat the increasing cyber threat, the report says: “CERTs need to cooperate and develop large-scale inter-connected sensor networks in order to collect threat intelligence from multiple distributed geographic areas.”
CERTs and honeypot researchers should work more closely together, the report recommended.
"The European Parliament asked for a comprehensive cyber security strategy that would build on a multi-stakeholder approach and go from network security to cyber defence. I especially welcome that the strategy emphasises the need to mainstream cyber space into external actions and the Common Foreign and Security Policy," said Tunne Kelam MEP (European People's Party).
"We warmly welcome the Commission’s recent proposal requiring that all Member States establish competent authorities for network and information security, set up CERTs, and adopt national network and information (NIS) strategies and cooperation plans. Crucially, as these initiatives will allow for the circulation of early warnings and ensure coordinated responses, Europe will increase its resilience against cyber threats and incidents, which will benefit users, industry and all member states," said a spokeswoman for Huawei, the technology company.
"Cyber security is a common challenge that all of societies have to face together. As the networked society evolves and grows in complexity, international cooperation to ensure data security and privacy protection becomes even more vital. The new cooperation networks together with the work of the recently-established European Cybercrime Centre increase the ability of EU Member States to coordinate with each other and international partners in response to risks and incidents affecting networks and information systems throughout the Union," the Huawei spokeswoman said.