Re: Honeypot should already be in place
@JeffyPoooh
One might argue that if you had such a system, you have already ticked all the boxes and more.
What part of this is 'automated'? is it just the redirection? If so, what is this automation? Presumably identifying what traffic you redirect is the major part of this as it then determines how you redirect it. Is directly in from external? Can it be isolated to an IP address or range? Are they being spoofed and frequently changed? If so which device do we have to examine to pull the correct IP? Or can we only identify the traffic through deep packet inspection? Is it an internal infected machine, and thus not passing through the same security devices? A compromised user account? Is there any incoming traffic or only outbound?
Once you've identified the type of traffic, the redirection is the easier part, though of course you also need to understand what data is being crawled and siphoned so you can direct the traffic to a representative system, understanding that the analogy of the 'honeypot' presupposes that someone wants the honey.
If an intruder is after, say, database data, directing their requests to a file server without the appropriate services listening on the appropriate ports, well, that's not necessarily going to work in the intended manner. Sure, you'll stop them getting the real data but the idea of a honeypot is not just to stop but to catch, thus you need appealing and appropriate bait.
And this is non-trivial.
I find your choice of words informative: "Miscreants should be redirected to the honeypot . . . "
This implies that the honeypot is already there and thus, as per my comments above, be suitable for the task, requiring either prescience or an segmented system that is representative of your setup, including patch level and ports, etc... After all, some exploits rely on bugs introduced in NEW updates so simply having a wide open system without AV or patches is not necessarily enough.
I may be reading too much into it, but given your point is that this should be automated, I'd say it's reasonable to assume that in your scenario, the honeypot is waiting, ready to go and fit to accept whatever type of requests (such as malformed sql commands) the real system is being subjected to.
Note the language used by Von Roessing:
“You must set up a honeypot to keep them distracted, while having your forensics team secure the evidence."
This implies that you first identify the traffic and then build a honeypot accordingly, which is much more reasonable, though if this is part of a plan that has been laid out in advance, as is suggested, then some skeleton system in place should be assumed.
Still, all of this is quite expensive and can be the kind of thing that is difficult to convince the boss to approve. Many security precautions only get the go-ahead once you've already been stung.