PRACTICAL GUIDE ON HONEYPOTS

Welcome to my new blog series on honeypots. Probably, you have heard of this system used to entrap hackers and study their techniques along with their behavior when compromising information systems. Thus, you want to install one. This is the right place to be. This series will uncover what they are, honeypot deployment models on a network, setting up of T-Pot and HoneyBot flavors of honeypots, and exploring their unique features and functionalities.

This introductory article covers what honeypots are, different classifications and technologies of honeypots in use.

With an ever-rising number of Tactics Techniques and Procedures (TTP) used for Advanced Persistent Threats to compromise Information Systems, the organizations’ role of protecting their assets must also persistently grow in scope. Mitre Att&ck provides a knowledge base of these adversary tactics and techniques based on real-world observations and organized in matrices. Red Canary supply detailed information on some of these techniques Going through these resources is recommended.

What are honeypots?

Honeypots are decoy systems deployed in production systems to deceive hackers into compromising the security resource and studying their behavior. It is a system whose value is in being probed, getting attacked or compromised. For the honeypot to look credible for attackers to exploit, it should:

• appear to be a legitimate system with some realistic-looking data and files that seem important but are not
• run services and processes that are expected in a production system
• contain basic security i.e. weak and or default passwords
• be configured to have a compelling name, such as financials.companyname.com or mail.companyname.com.

Hence, by enticing hackers to interact with this false IT asset, honeypots can be regarded as a deceptive technology.

Note — If the system doesn’t appear real or looks unusual, the hacker will most likely detect the trap and move on.

How can honeypots be classified?

According to Rapid7 (2016), the main purposes of honeypots are to:

• divert malicious traffic away from important systems
• get early warnings of current attacks before critical systems are hit
• gather information and valuable insights about an attacker and the attack methods.

In terms of use/objectives, two types of honeypots can be deployed:

1. Research honeypots — gather information on attacks to learn about hacking methodologies. Example: Honeynet Project, which is a voluntary project that runs honeypots to assess cyber threats.
2. Production honeypots — its primary focus is on diverting attacks from important systems. Information gathered is used to further secure the production environment.

In terms of the level of involvement or interaction, there are four categories of honeypots:

Low interaction honeypots

Characteristics

• They contain frequently requested services that hackers typically look for.
• Are easy to maintain and less resource-intensive
• Are harder to use as a launch point for attacks on other systems. This is because it gives an attacker very limited access to the operating system and the adversary will not be able to interact with the decoy system in-depth.
• When it comes to the collection of information, it is not effective enough due to its minimal involvement in interactions.

High interaction honeypots

Characteristics

• Appear to run all the services that a production system would run, including Operating Systems. Thus, allows the deploying organization to learn a lot more about attack behavior and methods.
• Low detection rate — recognizing this type of honeypot is much harder since it mimics production systems.
• Are more resource-intensive, harder to set-up and maintain
• Are loaded with more features and functionalities. Therefore, they are more likely to be used for lateral movements and attack other systems. In such cases, the owner of the honeypot can be held liable for the attacks. This is referred to as downstream liability (Rapid7, 2016).

Mid-interaction honeypots

Characteristics

• They emulate aspects of the application layer i.e. services
• Do not have an operating system of their own.
• They provide some interactivity to stall or confuse attackers so that the organizations using it have more time to figure out how to properly react to an attack.

Pure honeypot

It is a physical server that is configured to be a honeypot to lure attackers.

Characteristics

• It contains “confidential” data and user information that are not
• It is full of sensors to detect and capture malicious attacks.
• It is complex and difficult to maintain but provides invaluable information.

Honeypot technologies in use

1. Malware honeypots — are used to detect malware that propagates and uses common attack vectors. For instance, a honeypot can be made to emulate a USB drive, to monitor malware that uses this vector. Ghost USB honeypot is a good example, it works by emulating a USB thumb drive. If a malware identifies the honeypot emulating a USB thumb drive, it will try to infect it. The Ghost then looks for write requests to the USB drive, which is an indication of malware.
2. Spam honeypots — emulate open mail relays and open proxies. It is designed to collect spam. Inactive email addresses not used by real people are set up to catch spammers who send messages to these accounts which never opted-in to any email campaigns.
3. Database honeypot — since activities like SQL injections can often go undetected by firewalls, some choose to implement database firewalls in which some provide honeypot functionalities to create decoy databases
4. Client honeypots — while most honeypots are servers listening for connections, client honeypots pose as a client that looks for malicious servers that attack client systems. They interact with servers and monitor unexpected modifications to the client systems. They run on virtualization technology, so that infected systems can be cleaned out after the infection.
5. Honeynets — rather than having a single system as a honeypot, a honeynet is a network of multiple honeypots that aim to strategically track the methods and motives of an attacker while containing all inbound and outbound traffic.

In conclusion, the following are worth noting when using honeypots:

• Honeypots do not replace any traditional security mechanisms but add another layer of security.
• Honeypots do not prevent attacks but divert attacks from real systems and gather information about that attack.
• Honeypots will only see attacks against itself, attacks on other systems will go completely undetected.

That’s it for now. In my next article, I will talk about the different locations to place honeypots in a typical network. So, keep coming back!