Blog: Honeypots

Honeypots; a usage guide

Chris Pritchard 05 May 2015

Honeypots

I remember clearly what got me interested in Honeypots. I was an Information Security Analyst and I’d been asked by the Head of IT what a piece of malware actually did, and what kind of threat it posed to the company, and I just didn’t know.
I thought the only way to answer that question properly, because it was bound to be asked again, was to learn to reverse engineer malware samples.

Getting malware samples

However, getting fresh, recent, live malware samples in those days wasn’t easy! The best option was to set up my own honeypot and collect samples for myself. It was also a great opportunity to learn some great new skills which I’m still using today.

Speaking to a few friends and doing lots of research, Dionaea was the best fit for my requirements as it is highly configurable and well supported. Things have moved on a great deal since then, and these days I’d recommend researching the HoneyDrive project which is several different honeypots in a pre-built ISO image.

If you want to be a bit more flexible and choose your own OS base then I’d suggest Andy Smith’s really useful honeypot setup script honeypot setup script which installs Dionaea and Kippo for you, which takes out a lot of the headache.

What kind of honeypot? High or Low interaction?

So what do honeypots do, and should you use one? Honeypots can emulate just about any server or PC based service you want them to, from a fake MySQL database to an open file share, or even a SCADA PLC. At a high level, there are two main types of honeypot, high interaction and low interaction.

High interaction honeypots are normally used to study hacks in real time, capture actions as they happen and possibly feedback bogus data, again in real time. These aren’t used too often as they normally require someone sat there waiting for a hacker to interact with it.

Low interaction honeypots are the most common. Once configured they can be left to their own devices and don’t require much or any maintenance. Typically these are configured to expose “interesting” services to entice the hacker to interact with them.

Corporate honeypots

Have you ever thought about using a honeypot in a corporate environment? If no, why not?! Taking a roughly typical corporate environment, you’ve hopefully got firewalls, locked down desktops, anti-virus installed everywhere, patched servers, maybe even an Intrusion Detection System. These might all feed into a SIEM solution which if you’ve got the time and resource, has been highly tuned and only alerts you on “real” incidents.

Great! You’ve made a great many security vendors bucket loads of money, but put yourself in this scenario… You’re a hacker, ACME company has intellectual property that you’re really interested in and you want it. You know ACME has firewalls, IDS etc. and a security team watching that SIEM like a hawk on too much coffee. You’re in no rush, you footprint ACME’s external estate and discover their email filtering and desktop anti-virus is signature based and uses the same engine. All you need to do is write a piece of malware that isn’t picked up by those signatures and convince someone to open it.

We all know that’s possible, and let’s cut this short, the hacker gets in, a small foot in the door and infects one desktop PC with a piece of persistent custom malware. But what happens next? The hacker needs to find that intellectual property he’s looking for so starts listening and slowly scanning the internal network.

The sting

Bingo, he touches your honeypot’s SSH server and file share. Alerts are triggered, investigations commence, and with any luck you’ve just prevented a loss of very important intellectual property. Yes, I’ve shortened that sequence, and yes he hit the honeypot before he hit the server with all the very important intellectual property, but you get the idea. The IDS probably isn’t going to spot a slow scan, the anti-virus has already failed, and your SIEM solution is relying on the previous two solutions to tell it there’s an issue!

Conclusion

A great reason for me suggesting that you use a honeypot is because it’s free! Yes, you and/or your team invest some time in learning how to install a honeypot, how to configure it but you also learn some great skills which are going to extremely valuable to you all, and you’ve just added a layer of protection to your network that most hackers will not spot until it’s already too late.