Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/19/2014
06:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Open-Source Tool Aimed At Propelling Honeypots Into the Mainstream

Free software automates the setup, management of honeypots for enterprises.

Researchers have built a free open-source honeypot software program aimed at propelling the hacker decoys into security weapons for everyday organizations.

The Modern Honey Network (MHN) software, created by the Google Ventures-backed startup ThreatStream, automates much of the process of setting up and monitoring honeypots, as well as gleaning threat intelligence from them. An API allows it to integrate with IDSes, IPSes, application-layer firewalls, SIEM, and other security tools to set up defenses against attacks it detects.

Honeypots -- basically lures posing as machines that let organizations gather intelligence and study the behaviors of attackers -- long have been a popular and valuable tool for security researchers. There are plenty of open-source honeypot tools available today, but the high maintenance and complexity of deploying and running these lures have made them unrealistic security options for most businesses.

"Honeypots have never truly taken off in the enterprise," says Greg Martin, CEO of ThreatStream, which provides a software-as-a-service threat intelligence system for large organizations like Northrop Grumman and SAIC. The goal of MHN is to simplify honeypot deployment and ultimately to make these tools a mainstream, inherent part of the security arsenal for companies in various industries.

"You can deploy 29 honeypots with the click of a button" with the open-source tool, Martin says. "With a VMware server, you can do 30 or 40."

[A staple of the computer-security toolbox for more than two decades, honeypots can provide companies with unique benefits. Read 5 Reasons Every Company Should Have A Honeypot.]

Jason Trost, senior analytics engineer with ThreatStream and formerly with the Department of Defense and Sandia National Labs, says installing and managing honeypots has been harder than it should be. That's what inspired him to lead the development of MHN, which uses several open-source honeypots, including that of Snort's sensor and honeypots Dionaea, Conpot, Shiva, and Nepenthes, as well as the MongoDB database and The Honeynet Project's Honey Map, which provides geographic visualization of attacks and malicious activity captured by honeypots.

"There are organizations that have the expertise" to use honeypots, Trost says. "But honeypots are not done in the mainstream, because they are time-consuming. I hope this [MHN] lowers the bar to do that."

The tool can be used for two basic types of honeypot setups: outside the organization to monitor Internet-wide threats and inside the organization, behind the firewall, to monitor targeted attacks or insider threats. "If you have a honeypot inside and see attacks on it, it's an amazing way to catch an APT from the inside," Martin says.

According to SANS, honeypots can help if they're deployed properly. "However, it can also cause a decrease in an organization's security by being more attractive to worms or attacks," SANS says in its honeypot guide for enterprises. "Therefore, an organization must clearly define the risks it wants to reduce with a honeypot and the requirements for accomplishing this. Then, any deployment can be tested to make sure it benefits the organization."

Deploying a "high interaction" honeypot is especially risky. The Russian researcher Alexey Sintsov learned this the hard way: He ran an experimental honeypot on the DEFCON Russia website he manages in order to counterattack and gather attacker information such as network adapter settings, trace routes, and login names. But Sintsov got more than he bargained for; he found that he had hit the desktop of an intelligence agency from a nation that was formerly part of the Soviet Union. He later uninstalled the honeypot.

But the open-source MHN is a so-called low interaction honeypot, meaning that it merely gathers information and doesn't hack back, so the risks of exposure are minimal. "Risks of honeypots are very much a misconception," Martin says. "Honeypots that make parts of your [infrastructure] look vulnerable, yes, but the benefit is having that attacker intelligence. If they see the honeypot, they are already scanning and looking. That intel outweighs any risks you're introducing by making you look vulnerable."

Plus, honeypots are hardened by design, he says.

MHN, meanwhile, can be used with a little crowdsourcing, too. "We've created a public server that pulls together intelligence [the systems gather], and you have the option to crowdsource the information," Martin says. ThreatStream ultimately plans to share attack trends publicly: which countries are hosting the attacks and where DDoS attacks are occurring, for instance. "You can create a huge cyber weather map."

The free honeypot tool is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Brian Kellogg
50%
50%
Brian Kellogg,
User Rank: Apprentice
9/23/2014 | 10:25:13 PM
Re: ENISA and Digital Traps via Honeypots
I have to say that I'm not sure why some say honey pots pose too much of a risk to your network.  In large enough businesses you will be forced to try and protect antiquated software with unpatched vulnerabilities until such a time the business can migrate off of that software.  Vulnerabilities will always exist and a Honey Pot will help in identifying the threats on your internal network.  I think one thing we've learned over the last few years is that we can't trust our own internal networks.  Permimeter security just isn't as important as it used to be.  Getting behind the FW/IDS or whatever is a seemingly trivial hurdle for APTs.  Honey pots are a key part of the detection/identification part of a defense in depth security program IMHO.
kd10
50%
50%
kd10,
User Rank: Apprentice
6/25/2014 | 3:24:48 AM
Honeypot as a tool to identify and find the malware
In many cases you already have infected assets inside your organization and there are not many good tools that can find these infected assets.

A good Honeypot will halp you find the infected assets. Whether you take the attacker to court or not is another subject, but first you want to protect yourself and find the infected asset.

Check www.topspinsec.com. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/22/2014 | 1:27:59 PM
Re: Honeypots: High risk, High cost.
I second this notion.  Honeypots should only be deployed in a VLAN completely segregated from all other production or for that matter non-production environments.  
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/21/2014 | 2:34:16 PM
Honeypots: High risk, High cost.
It is a very bad idea and not common practice to deploy honeypots in a production enviroment. Honeypots are great for obtaining intelligence on what types of attacks vectors are being utilized against an infrastructure by simulating vulnerabilities in a system. However, placing a honeypot on a production network can and will expose you to more risk. More risk than just attracting attention from hackers, worms, the NSA, etc. Just because the system is simulating known vulnerabilities does not mean the honeypot or system hosting the honeypot is not actually vulnerable itself. I know it's a double negative. But the fact of the matter is that honeypots CAN be compromised by REAL vulnerabilities and used against your company to aid in further attacks or breach of data.

Yes there are many opensource and free honeypots out there but keep in mind the high cost operating, maintaining, and hosting of the honeypot network. Honeypots can and will be broken. Remember, you are just asking to be attacked so in no way should this be operating within the same subnet of your ISP. Plan on paying for 2 seperate ISPs.

 
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
6/20/2014 | 3:50:17 PM
Re: Low risk , no cost
Very Good for the bottom line and in today's climate that is all that really matters.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/20/2014 | 1:07:46 PM
Low risk , no cost
This tool sounds like a perfect combination for  budget-strapped security teams!
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/20/2014 | 11:17:57 AM
Re: ENISA and Digital Traps via Honeypots
If done correctly, honeypots are a very useful tool to gather information about attackers. Malware is often left on them, this can be useful in determining how attacks will happen in the future.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/20/2014 | 7:20:26 AM
Re: ENISA and Digital Traps via Honeypots
Between 2003 and roughly 2008 honeypots were the topic of many legal arguments whether someone implementing the technology could actually be prosecuted for using it, or be sued by a hacker caught in the trap.  The debate still rages, but it was particularly hot in the early days since 9/11 was a recent event and many laws were bending and shifting.

When the FBI or a similar agency uses honeypots, it's OK (see United States v. Ivanov), but be careful if you are a private business or an everyday citizen.  After all, it can be entrapment and a violation of privacy, technically.  I'd review SANS resources for recommendations on avoiding prosecution, which include anything from proper banner setup on systems to documentation, and proving your honeypot is a closed loop, preventing hackers from jumping off from there to other systems.

In other words, when you shoot the intruder, make sure you can justify the trail of jewelry that went up your lawn and through the open door (or minimally secured) to your house... 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/20/2014 | 6:43:50 AM
Re: ENISA and Digital Traps via Honeypots
Honeypots have been around for a long time. It will be interesting to see if they indeed become a more common tool for enterprises (mainly large ones, of course). As researchers have found and demonstrated over the years, you can glean a lot of powerful information about attackers/attacks from a honeypot.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/19/2014 | 11:54:50 PM
ENISA and Digital Traps via Honeypots
A couple years ago ENISA had a great report about how to use honeypots as digital traps for cyber criminals.

The Executive Director of ENISA Professor Udo Helmbrecht commented:

"Honeypots offer a powerful tool for CERTs to gather threat intelligence without any impact on the production infrastructure. Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT's constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics. Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies' assets."

I like how they think...
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.