Analytics // Threat Intelligence
06:40 PM
Connect Directly

Open-Source Tool Aimed At Propelling Honeypots Into the Mainstream

Free software automates the setup, management of honeypots for enterprises.

Researchers have built a free open-source honeypot software program aimed at propelling the hacker decoys into security weapons for everyday organizations.

The Modern Honey Network (MHN) software, created by the Google Ventures-backed startup ThreatStream, automates much of the process of setting up and monitoring honeypots, as well as gleaning threat intelligence from them. An API allows it to integrate with IDSes, IPSes, application-layer firewalls, SIEM, and other security tools to set up defenses against attacks it detects.

Honeypots -- basically lures posing as machines that let organizations gather intelligence and study the behaviors of attackers -- long have been a popular and valuable tool for security researchers. There are plenty of open-source honeypot tools available today, but the high maintenance and complexity of deploying and running these lures have made them unrealistic security options for most businesses.

"Honeypots have never truly taken off in the enterprise," says Greg Martin, CEO of ThreatStream, which provides a software-as-a-service threat intelligence system for large organizations like Northrop Grumman and SAIC. The goal of MHN is to simplify honeypot deployment and ultimately to make these tools a mainstream, inherent part of the security arsenal for companies in various industries.

"You can deploy 29 honeypots with the click of a button" with the open-source tool, Martin says. "With a VMware server, you can do 30 or 40."

[A staple of the computer-security toolbox for more than two decades, honeypots can provide companies with unique benefits. Read 5 Reasons Every Company Should Have A Honeypot.]

Jason Trost, senior analytics engineer with ThreatStream and formerly with the Department of Defense and Sandia National Labs, says installing and managing honeypots has been harder than it should be. That's what inspired him to lead the development of MHN, which uses several open-source honeypots, including that of Snort's sensor and honeypots Dionaea, Conpot, Shiva, and Nepenthes, as well as the MongoDB database and The Honeynet Project's Honey Map, which provides geographic visualization of attacks and malicious activity captured by honeypots.

"There are organizations that have the expertise" to use honeypots, Trost says. "But honeypots are not done in the mainstream, because they are time-consuming. I hope this [MHN] lowers the bar to do that."

The tool can be used for two basic types of honeypot setups: outside the organization to monitor Internet-wide threats and inside the organization, behind the firewall, to monitor targeted attacks or insider threats. "If you have a honeypot inside and see attacks on it, it's an amazing way to catch an APT from the inside," Martin says.

According to SANS, honeypots can help if they're deployed properly. "However, it can also cause a decrease in an organization's security by being more attractive to worms or attacks," SANS says in its honeypot guide for enterprises. "Therefore, an organization must clearly define the risks it wants to reduce with a honeypot and the requirements for accomplishing this. Then, any deployment can be tested to make sure it benefits the organization."

Deploying a "high interaction" honeypot is especially risky. The Russian researcher Alexey Sintsov learned this the hard way: He ran an experimental honeypot on the DEFCON Russia website he manages in order to counterattack and gather attacker information such as network adapter settings, trace routes, and login names. But Sintsov got more than he bargained for; he found that he had hit the desktop of an intelligence agency from a nation that was formerly part of the Soviet Union. He later uninstalled the honeypot.

But the open-source MHN is a so-called low interaction honeypot, meaning that it merely gathers information and doesn't hack back, so the risks of exposure are minimal. "Risks of honeypots are very much a misconception," Martin says. "Honeypots that make parts of your [infrastructure] look vulnerable, yes, but the benefit is having that attacker intelligence. If they see the honeypot, they are already scanning and looking. That intel outweighs any risks you're introducing by making you look vulnerable."

Plus, honeypots are hardened by design, he says.

MHN, meanwhile, can be used with a little crowdsourcing, too. "We've created a public server that pulls together intelligence [the systems gather], and you have the option to crowdsource the information," Martin says. ThreatStream ultimately plans to share attack trends publicly: which countries are hosting the attacks and where DDoS attacks are occurring, for instance. "You can create a huge cyber weather map."

The free honeypot tool is available here for download.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Brian Kellogg
Brian Kellogg,
User Rank: Apprentice
9/23/2014 | 10:25:13 PM
Re: ENISA and Digital Traps via Honeypots
I have to say that I'm not sure why some say honey pots pose too much of a risk to your network.  In large enough businesses you will be forced to try and protect antiquated software with unpatched vulnerabilities until such a time the business can migrate off of that software.  Vulnerabilities will always exist and a Honey Pot will help in identifying the threats on your internal network.  I think one thing we've learned over the last few years is that we can't trust our own internal networks.  Permimeter security just isn't as important as it used to be.  Getting behind the FW/IDS or whatever is a seemingly trivial hurdle for APTs.  Honey pots are a key part of the detection/identification part of a defense in depth security program IMHO.
User Rank: Apprentice
6/25/2014 | 3:24:48 AM
Honeypot as a tool to identify and find the malware
In many cases you already have infected assets inside your organization and there are not many good tools that can find these infected assets.

A good Honeypot will halp you find the infected assets. Whether you take the attacker to court or not is another subject, but first you want to protect yourself and find the infected asset.

Robert McDougal
Robert McDougal,
User Rank: Ninja
6/22/2014 | 1:27:59 PM
Re: Honeypots: High risk, High cost.
I second this notion.  Honeypots should only be deployed in a VLAN completely segregated from all other production or for that matter non-production environments.  
User Rank: Moderator
6/21/2014 | 2:34:16 PM
Honeypots: High risk, High cost.
It is a very bad idea and not common practice to deploy honeypots in a production enviroment. Honeypots are great for obtaining intelligence on what types of attacks vectors are being utilized against an infrastructure by simulating vulnerabilities in a system. However, placing a honeypot on a production network can and will expose you to more risk. More risk than just attracting attention from hackers, worms, the NSA, etc. Just because the system is simulating known vulnerabilities does not mean the honeypot or system hosting the honeypot is not actually vulnerable itself. I know it's a double negative. But the fact of the matter is that honeypots CAN be compromised by REAL vulnerabilities and used against your company to aid in further attacks or breach of data.

Yes there are many opensource and free honeypots out there but keep in mind the high cost operating, maintaining, and hosting of the honeypot network. Honeypots can and will be broken. Remember, you are just asking to be attacked so in no way should this be operating within the same subnet of your ISP. Plan on paying for 2 seperate ISPs.

Randy Naramore
Randy Naramore,
User Rank: Ninja
6/20/2014 | 3:50:17 PM
Re: Low risk , no cost
Very Good for the bottom line and in today's climate that is all that really matters.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/20/2014 | 1:07:46 PM
Low risk , no cost
This tool sounds like a perfect combination for  budget-strapped security teams!
Randy Naramore
Randy Naramore,
User Rank: Ninja
6/20/2014 | 11:17:57 AM
Re: ENISA and Digital Traps via Honeypots
If done correctly, honeypots are a very useful tool to gather information about attackers. Malware is often left on them, this can be useful in determining how attacks will happen in the future.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/20/2014 | 7:20:26 AM
Re: ENISA and Digital Traps via Honeypots
Between 2003 and roughly 2008 honeypots were the topic of many legal arguments whether someone implementing the technology could actually be prosecuted for using it, or be sued by a hacker caught in the trap.  The debate still rages, but it was particularly hot in the early days since 9/11 was a recent event and many laws were bending and shifting.

When the FBI or a similar agency uses honeypots, it's OK (see United States v. Ivanov), but be careful if you are a private business or an everyday citizen.  After all, it can be entrapment and a violation of privacy, technically.  I'd review SANS resources for recommendations on avoiding prosecution, which include anything from proper banner setup on systems to documentation, and proving your honeypot is a closed loop, preventing hackers from jumping off from there to other systems.

In other words, when you shoot the intruder, make sure you can justify the trail of jewelry that went up your lawn and through the open door (or minimally secured) to your house... 
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/20/2014 | 6:43:50 AM
Re: ENISA and Digital Traps via Honeypots
Honeypots have been around for a long time. It will be interesting to see if they indeed become a more common tool for enterprises (mainly large ones, of course). As researchers have found and demonstrated over the years, you can glean a lot of powerful information about attackers/attacks from a honeypot.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/19/2014 | 11:54:50 PM
ENISA and Digital Traps via Honeypots
A couple years ago ENISA had a great report about how to use honeypots as digital traps for cyber criminals.

The Executive Director of ENISA Professor Udo Helmbrecht commented:

"Honeypots offer a powerful tool for CERTs to gather threat intelligence without any impact on the production infrastructure. Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT's constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics. Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies' assets."

I like how they think...
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/ in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.