Vulnerabilities / Threats
4/26/2013
03:06 PM
50%
50%

Tech Insight: Time To Set Up That Honeypot

A combination of traditional network security monitoring and recent advancements in honeypot and active defense tools is key to detecting today's threats

Many companies are simply doing security wrong. While they might have perimeter security nailed down, they are probably failing at securing their workstations from insider abuse or have no true visibility as to what's going on within their internal networks.

There is a gross lack of situational awareness with a clear lack of being able to quickly know whether an attack is under way and to assess whether that attack was successful. The recent Verizon Data Breach Investigation Report (DBIR) provides excellent insight here, finding that most victim organizations don't discover that they've been breached for months and even years after the fact. And nearly 70 percent of them are alerted to the breach by a third party.

Where is the network security monitoring and log analysis that should be alerting these businesses? Kevin Johnson, CEO of Secure Ideas, said in a post, "Current security technologies are beginning to show significant strain. It seems as though the current defensive technologies…are not slowing the current generation of advanced threats."

With defensive security solutions not able to keep up with current threats, enterprises need to develop better detection methods -- using a combination of traditional network security monitoring (NSM) and recent advancements in honeypot and active defense tools.

NSM is a field that is reaching a relatively mature state due to the attention and recognition of its value over the past several years. If you're not sure what NSM is, then check out the Applied NSM blog and upcoming book by Chris Sanders from InGuardians for more information.

What about honeypots and all the talk surrounding active defense? Honeypots are, in the most simplistic terms, systems that are designed to be attacked. There are many different variations of honeypots and what services they offer (i.e. HTTP, SMTP, SSH, etc.). They also vary in the level of management, or interaction, that they require, but the common theme is that they are there to be attacked so the person running the honeypot can get better insight into what the attackers are doing.

Active defense takes the idea of honeypots further by attempting to operationalize them so that attacks can be identified quickly and security teams can respond quickly. Essentially, the honeypots become early warning detection systems that identify attacks that traditional defense systems might miss.

There are two problems, however, with honeypots and active defense that has given them a bad rap. The first is that honeypots are often seen as a waste of time because there has never been an easy way to integrate them into enterprise environment and truly leverage their attack detection capabilities.

Second, active defense -- while helping to realize the true value of honeypots -- is often confused with hacking back (or attacking the attacker) because of articles that focus more on active defense practices that attempt to confuse, annoy, and even exploit flaws in the tools used by attackers.

Thanks to a resurgence in honeypot interest, there are new projects that make it much easier for security professionals to deploy honeypots and leverage them within their existing security infrastructure. Artillery, from TrustedSec, is an excellent example. It can be deployed on a standalone system or an existing server. Once deployed, it listens on commonly attacked network ports. Any attempted attacks are blocked and reported. Additionally, it gets data from the TrustedSec intelligence feed and will block connections from previously identified attackers.

Project Nova is another newer honeypot project that took the very popular, but no longer developed, honeyd, and updated and enhanced it, created a dashboard and wrapper around honeyd, and made it easy to deploy many honeypots at one time -- all from the same host. Those honeypots can be made to look similar to existing systems on the network and act as decoys to the real systems. A machine learning algorithm helps determine whether systems are hostile or benign, and alert appropriately.

Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.

In addition to the traditional honeypot solutions that are simply designed to be attacked, ADHD includes active defense tools that intend to slow down attackers and allow for detection, or to annoy them to where they're more likely to make a mistake and get caught. Just be sure you've considered the consequences of what annoying an attacker could lead to; an angry attacker may quickly become a maliciously destructive attacker causing massive system failures and data loss.

The important thing to remember is that the solution you select needs to have its logs and alerting output added as sources to the existing SIEM or log analysis system. This will provide the notifications and bring back around the aspect of using honeypots as an early warning system. ADHD is a good choice to get started with because it contains a large number of tools and today saw the newest version, 0.5.0, uploaded to SourceForge.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan Cramer
50%
50%
Jonathan Cramer,
User Rank: Apprentice
4/29/2013 | 2:46:09 PM
re: Tech Insight: Time To Set Up That Honeypot
If your honeypot is capable of attacking other systems, then you're doing it wrong.

As for hardening, that's a great idea in theory but it only goes so far. Honeypots are cheap and easy to deploy.

You should definitely read through the link that Lukas included to learn more about what honeypots really are.
Todd Bell
50%
50%
Todd Bell,
User Rank: Apprentice
4/29/2013 | 2:02:54 PM
re: Tech Insight: Time To Set Up That Honeypot
I am not fan for Honeypots for a couple reasons. One the legal ramifications if a Honeypot is used to attack another system, and two, I strongly feel the time & resources spent should be used to harden the existing infrastructure.
Lukas Rist
50%
50%
Lukas Rist,
User Rank: Apprentice
4/29/2013 | 9:24:15 AM
re: Tech Insight: Time To Set Up That Honeypot
Must read before writing about honeypots: http://www.enisa.europa.eu/act...
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.