Honeypot: The Basics
A honeypot can be either very simple or very complex depending on your goals. In “Honeypot: The Basics”, I aim to provide a basic overall understanding of honeypots.
Honeypot: The Basics
A honeypot is an information system resource that is often used for security research. The goal of a Honeypot is to put something out there that attackers can see, and you want it to be attacked. A honeypot is a company saying: “Look at me, I’m vulnerable and full of confidential information – why don’t you attack me, instead of our real systems?”.
In other words, a honeypot is expected to be attacked and exploited. There is a whole spectrum of why you would want a honeypot, some of them would be:
- Research Exploits
- Find Zero-Day Exploits
- Learn more about your actual system (if the honeypot is a copy of your actual system)
- Learn about the types of attack that your real system is vulnerable to and how to best protect it.
A honeypot will provide the:
- What – What did they use to attack/exploit?
- How – How did they attack/exploit?
- Motives – Why would they attack/exploit us?
Honeypots for Production:
Honeypot can be set up to imitate your own production environment. This will allow you to discover the vulnerabilities in your environment.
Honeypots for Research:
This type of honeypot is more focused on researching the motives of an attacker. This typically use different configurations to lure the attackers in. For example, a research to find out what type of exploits people on the internet would throw at this specific system.
Why use Honeypots?
The use of honeypots is to draw the attackers away from the real valuable resources while the defender is able to monitor them with the security of knowing that there is nothing valuable on the machine(honeypot). The good thing about Honeypot is that the attacker wouldn’t know the defenders are monitoring them. Therefore, the defenders can take this opportunity to learn more about the hackers (what, how and motives) so that in the future you can adopt better security measures to defend your network.
Two key points to have a good and secure honeypot is:
- Make sure it isn’t obvious that these honeypots aren’t valuable.
- The only people that should be on the Honeypot system is the system security administrator.
Levels of Interaction
This refers to the extent to which an attacker can interact with the honeypot and underlying operating system. The more an attacker interact with the Honeypot the more information the defenders will gather from the incident. However, in order to have a high interaction Honeypot the defender would have to spend more time and resources setting it up as it would require the Honeypot to be more complex and have more in-depth features. Therefore, these self-explanatory categories are used to determine what type of Honeypot the company would like to adopt.
- Low Interaction Honeypots.
- Mid Interaction Honeypots.
- High Interaction Honeypots.
Examples: Honeyd and Honeytokens
This is simple to install, it only provides certain fake services but it’s no real operating system that an attacker can operate on. In depth, low interaction honeypots were designed to emulated vulnerable services without having to expose the operating system. As with any interaction level, it is important to understand the history of attempted honeypot detection and evasion because it allows the defenders to improve their continued use of honeypots.
However, a low interaction honeypot would minimize the risk and limit the information about the motives of the attacker.
A low interaction honeypot would be useful to uncover the first stage of the Cyber Kill Chain (Reconnaissance):
The Hacker Reconnaissance (Stage 1 of Cyber Kill Chain):
What do hackers want to know?
- What OS you are running
- Which ports are open (what services are being exposed)
- Which computers are up and running?
If hackers have this information, they can find exploits and run them against operating systems and the servers. A great tool for sysadmin is Nmap which is also used by malicious hackers to gain deeper understanding of your system and is widely used for this reconnaissance stage.
This is a file that looks attractive from an attacker’s point of view. This file can be set up on a normal computer with restrictive access from normal users, and if someone is trying to access these files then we would know that they are doing something that they shouldn’t be doing. This type of honeypot would often be used to catch insider threat by monitoring malicious activities within the HoneyToken. There’s a research done that provides a really good example of how HoneyToken actually works:
“A bogus medical record called “John F. Kennedy” is created and loaded into the database. This medical record has no true value because there is no real patient with that name. Instead, the record is a honeytoken, an entity that has no authorized use. If any employee is looking for interesting patient data, this record will definitely stand out. If the employee attempts to access this record, you have an indication of an employee violating patient privacy.”
Source: Lance Spitzner on “Honeypots: Catching the Insider Threat”
Couple of ways to determine if someone has accessed that:
- Create an IDS signatures that searches for packets containing key phrases within the document. If this signature is tripped, then that means that someone is accessing that file.
- Look at access time, so anytime someone views or access the file the access time will be changed
- However, this isn’t fool proof, the attacker might have encrypted the document, so the IDS isn’t going to catch that packet signature and with the access time, there is ways of changing it back to the date and time, so it might not be a reliable indication.
Examples: Multipot, Nepenthes and mwcollectd
Here the services are still emulated, however you can provide scripts so that the attacker can interact a little bit more with the system (the system will react/respond to some packets that are thrown at it). A key feature of interaction honeypots is application layer virtualization.
Mid interaction honeypot does not aim to simulate a fully working operating system like high interaction honeypots nor do they aim to implement all the details of an application protocol (http://julien.desfossez.free.fr/doc/midinthp.pdf Georg Wicherski)
Be aware that having this type of honeypot means that the development, management and maintenance will be more complex and time consuming, meaning it would require a higher skill level and knowledge.
Examples: Honeynets – a complete network segment full of honeypots ready for attackers to interact with
High interaction honeypots are actual vulnerable operating systems in place for the hacker to interact with. Often this type of honeypot is run on a virtual machine environment, but it can also be run on a separate machine. It provides a greater risk while offering a far more detailed picture of how an attack or intrusion progresses or even how a malware executes in real-time.
Nothing in a high interaction honeypot is emulated, its all real. Therefore, a higher complexity and maintenance is involved.
The perks of a high interaction honeypot are that because of its nature, it allows the defenders to detect Zero Day exploits.
One of the disadvantages is that an attacker can usually tells if they are on a virtual environment, either by checking the hardware configuration or running an ipconfig/all and checking the network MAC address that is bound to the network card. On a VMWare environment, the vendor part of the MAC address (the first three octets) is always one of the followings:
Source: Screenshot of my VMWare environment MAC Address
What type of Honeypot should the company be using?
There are different factors that need to be taken into account when choosing a Honeypot for a system.
- The security team size
- Skill level
- The goal of the honeypot / What are you trying to achieve?
To start with, I would suggest the use of a low-interact Honeypot. This will give everyone working on it a solid ground & understanding on Honeypots. Also, with distributions like Honeydrive – The company can take advantage of its hassle-free nature and employ multiple honeypots with different goals.
Alerts & False positive:
IT is bombarded with thousands of alerts a day, with little or no distinction between high and low-level risks and threats. This is where honeypots shine. It only logs a few hundred events, making it easier for IT to manage and analyze while allowing them to act quickly to evict the intruder before further damage is done.
However, a honeypot alert is not fool-proof. When it comes to honeypot alerts, beware of a different kind of false positive.
For instance: an attacker can create a diversion, spoofing your production system pretending that they are attacking the honeypot. Meanwhile, your honeypot would detect these spoofed attacks as actual attacks. This would drive your IT admins to investigate the wrong attack.
Meanwhile, during this false alert, an attacker would be focusing on a real attack against the production system.
Defense in Depth (Layered Defense) is not fool-proof either because an insider threats can diminish all your layers. It is important to keep Honeypots known to only those that are running them.
Ways that we can be alerted if an attack happens on our Honeypot:
It is critical to have proper alerting configured for your honeypot. You should have logs for all devices in the honeypot sent to a centralized logging server, and security staff should be alerted whenever an attacker enters the environment. This will enable staff to track the attacker and closely monitor the production environment to make sure it is secure.
For the centralized logging server, I would recommend checking either of these:
Benefits of Logging:
The data collected by honeypots can be leveraged to enhance other security technologies. You can correlate logs generated from a honeypot with other system logs, IDS alerts and firewall logs. This can produce a comprehensive picture of suspicious activity within an organization and enable more relevant alerts to be configured that can produce fewer false positives.