Two internal memoranda drafted last month by the European Network and Information Security Agency (ENISA) said that the response teams, or CERTS, are not spreading their detection nets as widely as possible and are failing fully to share their information with one another.
In computer terminology, a honeypot is a trap set to detect or deflect attempts at unauthorised use of information systems.
Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
It therefore lulls in attackers and then records who they are and is able to monitor their activities.
The establishment of CERTs in every EU member state was one of the first responses to cybersecurity by the EU executive. More than 100 CERTs have now been set up around Europe, including those focusing on the private sector and the EU executive has established its own dedicated team.
These are now being beefed up as part of the Commission’s cybersecurity strategy and ENISA will encourage further CERTs to be set up, with additional efforts being made to create networks binding the public and private sector.
Two reports completed by ENISA last month highlighted shortcomings in CERTS operations and recommended new methods of operation.
In “Proactive Detection of Network Security Incidents”, ENISA identified 16 shortcomings in the process of detection of incidents including problems with data quality, slow delivery, lack of contextual information.
The report also claimed that data privacy rules might be hampering the activities of CERTS, saying: “The most important legal problem involves privacy regulations and data protection laws that often hinder the exchange of information – an obstacle faced by CERTS but unfortunately not by miscreants responsible for network attacks.”
Luring hackers with honeypots
A separate report, also published by ENISA in February looked at the CERTs use of 'honeypot' traps.
The report said that these traps offer “great insights into malicious activity in a CERT’s constituency, providing early warning of malware infections, new exploits, vulnerabilities and malware behaviour as well as an excellent opportunity to learn about changes in attacker tactics.”
To combat the increasing cyber threat, the report says: “CERTs need to cooperate and develop large-scale inter-connected sensor networks in order to collect threat intelligence from multiple distributed geographic areas.”
CERTs and honeypot researchers should work more closely together, the report recommended.