Vulnerabilities / Threats

Tech Insight: Time To Set Up That Honeypot

A combination of traditional network security monitoring and recent advancements in honeypot and active defense tools is key to detecting today's threats

Many companies are simply doing security wrong. While they might have perimeter security nailed down, they are probably failing at securing their workstations from insider abuse or have no true visibility as to what's going on within their internal networks.

There is a gross lack of situational awareness with a clear lack of being able to quickly know whether an attack is under way and to assess whether that attack was successful. The recent Verizon Data Breach Investigation Report (DBIR) provides excellent insight here, finding that most victim organizations don't discover that they've been breached for months and even years after the fact. And nearly 70 percent of them are alerted to the breach by a third party.

Where is the network security monitoring and log analysis that should be alerting these businesses? Kevin Johnson, CEO of Secure Ideas, said in a post, "Current security technologies are beginning to show significant strain. It seems as though the current defensive technologies…are not slowing the current generation of advanced threats."

With defensive security solutions not able to keep up with current threats, enterprises need to develop better detection methods -- using a combination of traditional network security monitoring (NSM) and recent advancements in honeypot and active defense tools.

NSM is a field that is reaching a relatively mature state due to the attention and recognition of its value over the past several years. If you're not sure what NSM is, then check out the Applied NSM blog and upcoming book by Chris Sanders from InGuardians for more information.

What about honeypots and all the talk surrounding active defense? Honeypots are, in the most simplistic terms, systems that are designed to be attacked. There are many different variations of honeypots and what services they offer (i.e. HTTP, SMTP, SSH, etc.). They also vary in the level of management, or interaction, that they require, but the common theme is that they are there to be attacked so the person running the honeypot can get better insight into what the attackers are doing.

Active defense takes the idea of honeypots further by attempting to operationalize them so that attacks can be identified quickly and security teams can respond quickly. Essentially, the honeypots become early warning detection systems that identify attacks that traditional defense systems might miss.

There are two problems, however, with honeypots and active defense that has given them a bad rap. The first is that honeypots are often seen as a waste of time because there has never been an easy way to integrate them into enterprise environment and truly leverage their attack detection capabilities.

Second, active defense -- while helping to realize the true value of honeypots -- is often confused with hacking back (or attacking the attacker) because of articles that focus more on active defense practices that attempt to confuse, annoy, and even exploit flaws in the tools used by attackers.

Thanks to a resurgence in honeypot interest, there are new projects that make it much easier for security professionals to deploy honeypots and leverage them within their existing security infrastructure. Artillery, from TrustedSec, is an excellent example. It can be deployed on a standalone system or an existing server. Once deployed, it listens on commonly attacked network ports. Any attempted attacks are blocked and reported. Additionally, it gets data from the TrustedSec intelligence feed and will block connections from previously identified attackers.

Project Nova is another newer honeypot project that took the very popular, but no longer developed, honeyd, and updated and enhanced it, created a dashboard and wrapper around honeyd, and made it easy to deploy many honeypots at one time -- all from the same host. Those honeypots can be made to look similar to existing systems on the network and act as decoys to the real systems. A machine learning algorithm helps determine whether systems are hostile or benign, and alert appropriately.

Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.

In addition to the traditional honeypot solutions that are simply designed to be attacked, ADHD includes active defense tools that intend to slow down attackers and allow for detection, or to annoy them to where they're more likely to make a mistake and get caught. Just be sure you've considered the consequences of what annoying an attacker could lead to; an angry attacker may quickly become a maliciously destructive attacker causing massive system failures and data loss.

The important thing to remember is that the solution you select needs to have its logs and alerting output added as sources to the existing SIEM or log analysis system. This will provide the notifications and bring back around the aspect of using honeypots as an early warning system. ADHD is a good choice to get started with because it contains a large number of tools and today saw the newest version, 0.5.0, uploaded to SourceForge.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Jonathan Cramer
Jonathan Cramer,
User Rank: Apprentice
4/29/2013 | 2:46:09 PM
re: Tech Insight: Time To Set Up That Honeypot
If your honeypot is capable of attacking other systems, then you're doing it wrong.

As for hardening, that's a great idea in theory but it only goes so far. Honeypots are cheap and easy to deploy.

You should definitely read through the link that Lukas included to learn more about what honeypots really are.
Todd Bell
Todd Bell,
User Rank: Apprentice
4/29/2013 | 2:02:54 PM
re: Tech Insight: Time To Set Up That Honeypot
I am not fan for Honeypots for a couple reasons. One the legal ramifications if a Honeypot is used to attack another system, and two, I strongly feel the time & resources spent should be used to harden the existing infrastructure.
Lukas Rist
Lukas Rist,
User Rank: Apprentice
4/29/2013 | 9:24:15 AM
re: Tech Insight: Time To Set Up That Honeypot
Must read before writing about honeypots:
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.