Analytics // Threat Intelligence
6/19/2014
06:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Open-Source Tool Aimed At Propelling Honeypots Into the Mainstream

Free software automates the setup, management of honeypots for enterprises.

Researchers have built a free open-source honeypot software program aimed at propelling the hacker decoys into security weapons for everyday organizations.

The Modern Honey Network (MHN) software, created by the Google Ventures-backed startup ThreatStream, automates much of the process of setting up and monitoring honeypots, as well as gleaning threat intelligence from them. An API allows it to integrate with IDSes, IPSes, application-layer firewalls, SIEM, and other security tools to set up defenses against attacks it detects.

Honeypots -- basically lures posing as machines that let organizations gather intelligence and study the behaviors of attackers -- long have been a popular and valuable tool for security researchers. There are plenty of open-source honeypot tools available today, but the high maintenance and complexity of deploying and running these lures have made them unrealistic security options for most businesses.

"Honeypots have never truly taken off in the enterprise," says Greg Martin, CEO of ThreatStream, which provides a software-as-a-service threat intelligence system for large organizations like Northrop Grumman and SAIC. The goal of MHN is to simplify honeypot deployment and ultimately to make these tools a mainstream, inherent part of the security arsenal for companies in various industries.

"You can deploy 29 honeypots with the click of a button" with the open-source tool, Martin says. "With a VMware server, you can do 30 or 40."

[A staple of the computer-security toolbox for more than two decades, honeypots can provide companies with unique benefits. Read 5 Reasons Every Company Should Have A Honeypot.]

Jason Trost, senior analytics engineer with ThreatStream and formerly with the Department of Defense and Sandia National Labs, says installing and managing honeypots has been harder than it should be. That's what inspired him to lead the development of MHN, which uses several open-source honeypots, including that of Snort's sensor and honeypots Dionaea, Conpot, Shiva, and Nepenthes, as well as the MongoDB database and The Honeynet Project's Honey Map, which provides geographic visualization of attacks and malicious activity captured by honeypots.

"There are organizations that have the expertise" to use honeypots, Trost says. "But honeypots are not done in the mainstream, because they are time-consuming. I hope this [MHN] lowers the bar to do that."

The tool can be used for two basic types of honeypot setups: outside the organization to monitor Internet-wide threats and inside the organization, behind the firewall, to monitor targeted attacks or insider threats. "If you have a honeypot inside and see attacks on it, it's an amazing way to catch an APT from the inside," Martin says.

According to SANS, honeypots can help if they're deployed properly. "However, it can also cause a decrease in an organization's security by being more attractive to worms or attacks," SANS says in its honeypot guide for enterprises. "Therefore, an organization must clearly define the risks it wants to reduce with a honeypot and the requirements for accomplishing this. Then, any deployment can be tested to make sure it benefits the organization."

Deploying a "high interaction" honeypot is especially risky. The Russian researcher Alexey Sintsov learned this the hard way: He ran an experimental honeypot on the DEFCON Russia website he manages in order to counterattack and gather attacker information such as network adapter settings, trace routes, and login names. But Sintsov got more than he bargained for; he found that he had hit the desktop of an intelligence agency from a nation that was formerly part of the Soviet Union. He later uninstalled the honeypot.

But the open-source MHN is a so-called low interaction honeypot, meaning that it merely gathers information and doesn't hack back, so the risks of exposure are minimal. "Risks of honeypots are very much a misconception," Martin says. "Honeypots that make parts of your [infrastructure] look vulnerable, yes, but the benefit is having that attacker intelligence. If they see the honeypot, they are already scanning and looking. That intel outweighs any risks you're introducing by making you look vulnerable."

Plus, honeypots are hardened by design, he says.

MHN, meanwhile, can be used with a little crowdsourcing, too. "We've created a public server that pulls together intelligence [the systems gather], and you have the option to crowdsource the information," Martin says. ThreatStream ultimately plans to share attack trends publicly: which countries are hosting the attacks and where DDoS attacks are occurring, for instance. "You can create a huge cyber weather map."

The free honeypot tool is available here for download.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kd10
50%
50%
kd10,
User Rank: Apprentice
6/25/2014 | 3:24:48 AM
Honeypot as a tool to identify and find the malware
In many cases you already have infected assets inside your organization and there are not many good tools that can find these infected assets.

A good Honeypot will halp you find the infected assets. Whether you take the attacker to court or not is another subject, but first you want to protect yourself and find the infected asset.

Check www.topspinsec.com. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/22/2014 | 1:27:59 PM
Re: Honeypots: High risk, High cost.
I second this notion.  Honeypots should only be deployed in a VLAN completely segregated from all other production or for that matter non-production environments.  
theb0x
50%
50%
theb0x,
User Rank: Moderator
6/21/2014 | 2:34:16 PM
Honeypots: High risk, High cost.
It is a very bad idea and not common practice to deploy honeypots in a production enviroment. Honeypots are great for obtaining intelligence on what types of attacks vectors are being utilized against an infrastructure by simulating vulnerabilities in a system. However, placing a honeypot on a production network can and will expose you to more risk. More risk than just attracting attention from hackers, worms, the NSA, etc. Just because the system is simulating known vulnerabilities does not mean the honeypot or system hosting the honeypot is not actually vulnerable itself. I know it's a double negative. But the fact of the matter is that honeypots CAN be compromised by REAL vulnerabilities and used against your company to aid in further attacks or breach of data.

Yes there are many opensource and free honeypots out there but keep in mind the high cost operating, maintaining, and hosting of the honeypot network. Honeypots can and will be broken. Remember, you are just asking to be attacked so in no way should this be operating within the same subnet of your ISP. Plan on paying for 2 seperate ISPs.

 
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
6/20/2014 | 3:50:17 PM
Re: Low risk , no cost
Very Good for the bottom line and in today's climate that is all that really matters.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/20/2014 | 1:07:46 PM
Low risk , no cost
This tool sounds like a perfect combination for  budget-strapped security teams!
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/20/2014 | 11:17:57 AM
Re: ENISA and Digital Traps via Honeypots
If done correctly, honeypots are a very useful tool to gather information about attackers. Malware is often left on them, this can be useful in determining how attacks will happen in the future.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/20/2014 | 7:20:26 AM
Re: ENISA and Digital Traps via Honeypots
Between 2003 and roughly 2008 honeypots were the topic of many legal arguments whether someone implementing the technology could actually be prosecuted for using it, or be sued by a hacker caught in the trap.  The debate still rages, but it was particularly hot in the early days since 9/11 was a recent event and many laws were bending and shifting.

When the FBI or a similar agency uses honeypots, it's OK (see United States v. Ivanov), but be careful if you are a private business or an everyday citizen.  After all, it can be entrapment and a violation of privacy, technically.  I'd review SANS resources for recommendations on avoiding prosecution, which include anything from proper banner setup on systems to documentation, and proving your honeypot is a closed loop, preventing hackers from jumping off from there to other systems.

In other words, when you shoot the intruder, make sure you can justify the trail of jewelry that went up your lawn and through the open door (or minimally secured) to your house... 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/20/2014 | 6:43:50 AM
Re: ENISA and Digital Traps via Honeypots
Honeypots have been around for a long time. It will be interesting to see if they indeed become a more common tool for enterprises (mainly large ones, of course). As researchers have found and demonstrated over the years, you can glean a lot of powerful information about attackers/attacks from a honeypot.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/19/2014 | 11:54:50 PM
ENISA and Digital Traps via Honeypots
A couple years ago ENISA had a great report about how to use honeypots as digital traps for cyber criminals.

The Executive Director of ENISA Professor Udo Helmbrecht commented:

"Honeypots offer a powerful tool for CERTs to gather threat intelligence without any impact on the production infrastructure. Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT's constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics. Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies' assets."

I like how they think...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.