Vulnerabilities / Threats
4/26/2013
03:06 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tech Insight: Time To Set Up That Honeypot

A combination of traditional network security monitoring and recent advancements in honeypot and active defense tools is key to detecting today's threats

Many companies are simply doing security wrong. While they might have perimeter security nailed down, they are probably failing at securing their workstations from insider abuse or have no true visibility as to what's going on within their internal networks.

There is a gross lack of situational awareness with a clear lack of being able to quickly know whether an attack is under way and to assess whether that attack was successful. The recent Verizon Data Breach Investigation Report (DBIR) provides excellent insight here, finding that most victim organizations don't discover that they've been breached for months and even years after the fact. And nearly 70 percent of them are alerted to the breach by a third party.

Where is the network security monitoring and log analysis that should be alerting these businesses? Kevin Johnson, CEO of Secure Ideas, said in a post, "Current security technologies are beginning to show significant strain. It seems as though the current defensive technologies…are not slowing the current generation of advanced threats."

With defensive security solutions not able to keep up with current threats, enterprises need to develop better detection methods -- using a combination of traditional network security monitoring (NSM) and recent advancements in honeypot and active defense tools.

NSM is a field that is reaching a relatively mature state due to the attention and recognition of its value over the past several years. If you're not sure what NSM is, then check out the Applied NSM blog and upcoming book by Chris Sanders from InGuardians for more information.

What about honeypots and all the talk surrounding active defense? Honeypots are, in the most simplistic terms, systems that are designed to be attacked. There are many different variations of honeypots and what services they offer (i.e. HTTP, SMTP, SSH, etc.). They also vary in the level of management, or interaction, that they require, but the common theme is that they are there to be attacked so the person running the honeypot can get better insight into what the attackers are doing.

Active defense takes the idea of honeypots further by attempting to operationalize them so that attacks can be identified quickly and security teams can respond quickly. Essentially, the honeypots become early warning detection systems that identify attacks that traditional defense systems might miss.

There are two problems, however, with honeypots and active defense that has given them a bad rap. The first is that honeypots are often seen as a waste of time because there has never been an easy way to integrate them into enterprise environment and truly leverage their attack detection capabilities.

Second, active defense -- while helping to realize the true value of honeypots -- is often confused with hacking back (or attacking the attacker) because of articles that focus more on active defense practices that attempt to confuse, annoy, and even exploit flaws in the tools used by attackers.

Thanks to a resurgence in honeypot interest, there are new projects that make it much easier for security professionals to deploy honeypots and leverage them within their existing security infrastructure. Artillery, from TrustedSec, is an excellent example. It can be deployed on a standalone system or an existing server. Once deployed, it listens on commonly attacked network ports. Any attempted attacks are blocked and reported. Additionally, it gets data from the TrustedSec intelligence feed and will block connections from previously identified attackers.

Project Nova is another newer honeypot project that took the very popular, but no longer developed, honeyd, and updated and enhanced it, created a dashboard and wrapper around honeyd, and made it easy to deploy many honeypots at one time -- all from the same host. Those honeypots can be made to look similar to existing systems on the network and act as decoys to the real systems. A machine learning algorithm helps determine whether systems are hostile or benign, and alert appropriately.

Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.

In addition to the traditional honeypot solutions that are simply designed to be attacked, ADHD includes active defense tools that intend to slow down attackers and allow for detection, or to annoy them to where they're more likely to make a mistake and get caught. Just be sure you've considered the consequences of what annoying an attacker could lead to; an angry attacker may quickly become a maliciously destructive attacker causing massive system failures and data loss.

The important thing to remember is that the solution you select needs to have its logs and alerting output added as sources to the existing SIEM or log analysis system. This will provide the notifications and bring back around the aspect of using honeypots as an early warning system. ADHD is a good choice to get started with because it contains a large number of tools and today saw the newest version, 0.5.0, uploaded to SourceForge.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan Cramer
50%
50%
Jonathan Cramer,
User Rank: Apprentice
4/29/2013 | 2:46:09 PM
re: Tech Insight: Time To Set Up That Honeypot
If your honeypot is capable of attacking other systems, then you're doing it wrong.

As for hardening, that's a great idea in theory but it only goes so far. Honeypots are cheap and easy to deploy.

You should definitely read through the link that Lukas included to learn more about what honeypots really are.
Todd Bell
50%
50%
Todd Bell,
User Rank: Apprentice
4/29/2013 | 2:02:54 PM
re: Tech Insight: Time To Set Up That Honeypot
I am not fan for Honeypots for a couple reasons. One the legal ramifications if a Honeypot is used to attack another system, and two, I strongly feel the time & resources spent should be used to harden the existing infrastructure.
Lukas Rist
50%
50%
Lukas Rist,
User Rank: Apprentice
4/29/2013 | 9:24:15 AM
re: Tech Insight: Time To Set Up That Honeypot
Must read before writing about honeypots: http://www.enisa.europa.eu/act...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web