top of page
Search

All things honey.

  • Christian Popov
  • Apr 20, 2019
  • 5 min read

Updated: Apr 23, 2019


Hello dear reader, A long time ago in a galaxy far far away, my colleagues and I decided to run a honeypot as a side project. Needless to say we haven't been paying much attention to it. So today I decided to pull a report from it and see whats been going on for the past week. But before I dive into the report here is some important considerations to think about when standing-up a honeypot. Edit: I wanted to talk about the report I pulled but this turned into a full blown honeypot post. I'll make a few more posts about our honeypot deployment and the report.

Goal: Honeypots can be used in a variety of ways, some of which include but not limited to research, early warning systems, security/cyber deception.

Research - as the name suggests the goal of the honeypot is research. The honeypot is used for monitoring internet traffic as a whole and the data is used to generate reports and trends on persistent or emerging scanning and exploit attempts. This is our own goal as well. Early Warning System - As we all know things on the internet spread fast. If a new exploit is detected in one part of the world its only a matter of time before its attempted everywhere. Honeypots can be used as early warning systems. Deploying a few honeypots in whats known as a honeypot network can give you a good perspective on emerging threats. Some great examples of honeypot uses on Twitter are @VessOnSecurity, @bad_packets, @GreyNoiseIO

Security - Honeypots can be deployed inside your own environment to detect strange traffic patterns such as user logins to unauthorized servers, lateral movement or exploit attempts from internal to internal hosts. Cyber Deception - Cyber Deception is relatively new concept which encompasses a few elements, one of which are honeypots. The aim of deception technology is to prevent a cybercriminal that has managed to infiltrate a network from doing any significant damage. The technology works by generating traps or deception decoys that mimic legitimate technology assets throughout the infrastructure. A key difference between these deployments is where the honeypot is placed. Outside or inside your environment. The first two are generally placed outside or at the perimeter and the latter two are more suited for the inside of your network. Interaction Level: There are three main categories of honeypots based on their interaction level: low, medium and high.


A Low Interaction Honeypot (LIH) in simplest terms is a “dumb listener”.  It opens a service port and waits for the adversary to initiate a network connection.  The LIH cannot speak the protocol, but it will record every packet sent by the attacker and will do rudimentary acknowledgements in an attempt to entice more responses. Pros:

  • An open service port entices the attacker to probe it further;

  • Good for capturing unsophisticated attackers and propagating malware;

  • Easy to cover services not available or difficult to deploy in Medium and High Interaction Honeypots;

  • They are easy to design and are lightweight making them highly scalable;

  • A connection is a conviction – it provides high fidelity with no signatures\

  • Automated response workflows can quickly take advantage to isolate the compromised endpoint;

Cons:

  • Forensic evidence is limited to a few network packets captured;

  • Advanced adversaries quickly change tactics and will attempt to cover their tracks

  • The trap may spring too early without automated responses and you could lose the adversary

  • You will not learn much about the adversary’s tactics, techniques and procedures (TTPs)


A Medium Interaction Honeypot (MIH) emulates key services or behaviors of the operating system it is masquerading.  The intent of the MIH is to either stall, confuse or delay the adversary giving the SOC/IR team sufficient time to assess the attack and determine appropriate isolation or remediation actions.  It will provide a subset of commands commonly executed by intruders and present a file system and service interactions that appear normal.  MIHs will not stand up to prolonged scrutiny by an adversary, but that is not what they are designed to do.

Pros:

  • Stands up to more intensive remote probes from adversaries;

  • Provides visibility into the early TTPs of the adversary;

  • Permits the adversary to interact with the decoy file system, allowing both the upload and download of files

  • Permits the adversary to “exploit” the target as if it were a live system

  • Helps reveal the attacker’s intended objective in your organization

  • Provides detailed forensics on how the adversary interrogates targets

  • If automated responses are not possible, MIH provides additional time for manual responses

  • They are not vulnerable to the exploits a High Interactive Honeypot will have

  • There is no licensing or installation costs for the operating system or applications – they are emulated, and as such, do not actually exist

  • Emulations have smaller footprints and can easily scale to numbers required to complete the deception environment

  • An interaction is a conviction – with verifiable intent

Cons:

  • While the illusion is extended greatly beyond LIH, it does not last forever

  • Additional configuration steps are required to make the deception as realistic as possible

  • MIH solutions will cost more than LIH due to increased design and development costs

  • MIH solutions will require more updates than LIH to keep in step with service and operating system changes

A High Interaction Honeypot (HIH) is a full-blown, actual operating system or device and has installed applications or services desired to complete the deception.  The intent of an HIH is to hold the attacker in the illusion indefinitely while the forensics team gathers every scrap of intelligence possible about the adversary.


Pros:

  • Provides the richest, truest interaction environment for the adversary

  • Can hold the adversary in the illusion for the longest possible time frame

  • Allows for the most customization and population of real-world data

Cons:

  • Incurs licensing and maintenance costs from the vendor or supplier

  • Utilizing infrastructure gear and other proprietary devices or appliances can be cost prohibitive

  • Can introduce unknown vulnerabilities, allowing the adversary to breach your internal security defenses

  • Are not inherently designed for forensic capture – requires additional software and design considerations

  • Footprint is more resource intensive, introducing enterprise scalability issues

  • Even virtualized HIH require resources that limit the feasible amount of deployed decoys in an enterpriseUnless you are a security vendor or intelligence gathering entity, the added value gained from allowing the attacker additional time in the decoy diminishes rapidly in comparison to increased costs, care and feeding

(FYI All the pros and cons come from a TrapX article, linked below. TrapX is a leading company in the Cyber Deception field.)


Service Emulation:

Honeypots come in various shapes and sizes and can emulate almost anything. This is a short list of some the things honeypots can emulate:

  • Services: SSH, RDP, VNC, SMB, NTP, SMTP, etc.

  • Databases: Elastic search, NoSQL, MySQL, Postgresql, MongoDB, etc.

  • Web: Bukkit, Symphony, NodeJS, Apache Struts 2, Django, Drupal, Wordpress, etc.

  • ICS: SCADA, PLC.

  • IoT

  • Mobile devices

The full list of honeypots and their uses can be found in the references below. Which honeypot to chose: Well dear reader the answer is... (drum roll) ..... you decide. It really depends on what you are trying to achieve by setting up a honeypot. And the time you want to spend on achieving said goal. Do you want to just get data on Internet trends? Do you want to see who might want to leak a database? Do you want to set traps inside your environment? Our case: We chose to setup a low-to-medium interaction, research honeypot. That way we don't have to monitor it 24/7 but we still get valuable data out of it. We get spikes of newly infected hosts and currently trending mass exploits. Example: IP : 62.217[.]XXX[dot]XXX

Compiled HTML code of fake PHP MyAdmin page.

According to GreyNoise the IP is flagged with high confidence as a PHP Worm propagator. https://viz.greynoise.io/ip/62.217.125.183 https://exchange.xforce.ibmcloud.com/ip/62.217.125.183 More on that when I get to the report.

In conclusion, honeypots can give a great insight into the goings on both outside and inside your environment. The information provided can be used for research, situational awareness and Threat Intelligence.


References: https://www.infoworld.com/article/2673437/honeypots-as-an-early-warning-system.html https://www.forcepoint.com/cyber-edu/deception-technology https://www.intego.com/mac-security-blog/a-honeypot-guide-why-researchers-use-honeypots-for-malware-analysis/ https://blog.aimultiple.com/deception-tech-companies/ https://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-fischbach-up.pdf https://trapx.com/does-your-honeypot-interaction-match-your-security-operations-service-level-agreement/ https://github.com/paralax/awesome-honeypots http://www.honeynetwork.co.nz/index.php?option=com_content&view=article&id=95&Itemid=435 https://github.com/threatstream/mhn

Commentaires

©2019 by ChrispySec. Proudly created with Wix.com

bottom of page