Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Open-Source Tool Aimed At Propelling Honeypots Into the Mainstream
Oldest First  |  Newest First  |  Threaded View
RetiredUser
RetiredUser,
User Rank: Ninja
6/19/2014 | 11:54:50 PM
ENISA and Digital Traps via Honeypots
A couple years ago ENISA had a great report about how to use honeypots as digital traps for cyber criminals.

The Executive Director of ENISA Professor Udo Helmbrecht commented:

"Honeypots offer a powerful tool for CERTs to gather threat intelligence without any impact on the production infrastructure. Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT's constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behaviour, as well as give an opportunity to learn about attacker tactics. Therefore, if the CERTs in Europe recognise honeypots better as a tasty option, they could better defend their constituencies' assets."

I like how they think...
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/20/2014 | 6:43:50 AM
Re: ENISA and Digital Traps via Honeypots
Honeypots have been around for a long time. It will be interesting to see if they indeed become a more common tool for enterprises (mainly large ones, of course). As researchers have found and demonstrated over the years, you can glean a lot of powerful information about attackers/attacks from a honeypot.
RetiredUser
RetiredUser,
User Rank: Ninja
6/20/2014 | 7:20:26 AM
Re: ENISA and Digital Traps via Honeypots
Between 2003 and roughly 2008 honeypots were the topic of many legal arguments whether someone implementing the technology could actually be prosecuted for using it, or be sued by a hacker caught in the trap.  The debate still rages, but it was particularly hot in the early days since 9/11 was a recent event and many laws were bending and shifting.

When the FBI or a similar agency uses honeypots, it's OK (see United States v. Ivanov), but be careful if you are a private business or an everyday citizen.  After all, it can be entrapment and a violation of privacy, technically.  I'd review SANS resources for recommendations on avoiding prosecution, which include anything from proper banner setup on systems to documentation, and proving your honeypot is a closed loop, preventing hackers from jumping off from there to other systems.

In other words, when you shoot the intruder, make sure you can justify the trail of jewelry that went up your lawn and through the open door (or minimally secured) to your house... 
Randy Naramore
Randy Naramore,
User Rank: Ninja
6/20/2014 | 11:17:57 AM
Re: ENISA and Digital Traps via Honeypots
If done correctly, honeypots are a very useful tool to gather information about attackers. Malware is often left on them, this can be useful in determining how attacks will happen in the future.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/20/2014 | 1:07:46 PM
Low risk , no cost
This tool sounds like a perfect combination for  budget-strapped security teams!
Randy Naramore
Randy Naramore,
User Rank: Ninja
6/20/2014 | 3:50:17 PM
Re: Low risk , no cost
Very Good for the bottom line and in today's climate that is all that really matters.
theb0x
theb0x,
User Rank: Ninja
6/21/2014 | 2:34:16 PM
Honeypots: High risk, High cost.
It is a very bad idea and not common practice to deploy honeypots in a production enviroment. Honeypots are great for obtaining intelligence on what types of attacks vectors are being utilized against an infrastructure by simulating vulnerabilities in a system. However, placing a honeypot on a production network can and will expose you to more risk. More risk than just attracting attention from hackers, worms, the NSA, etc. Just because the system is simulating known vulnerabilities does not mean the honeypot or system hosting the honeypot is not actually vulnerable itself. I know it's a double negative. But the fact of the matter is that honeypots CAN be compromised by REAL vulnerabilities and used against your company to aid in further attacks or breach of data.

Yes there are many opensource and free honeypots out there but keep in mind the high cost operating, maintaining, and hosting of the honeypot network. Honeypots can and will be broken. Remember, you are just asking to be attacked so in no way should this be operating within the same subnet of your ISP. Plan on paying for 2 seperate ISPs.

 
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/22/2014 | 1:27:59 PM
Re: Honeypots: High risk, High cost.
I second this notion.  Honeypots should only be deployed in a VLAN completely segregated from all other production or for that matter non-production environments.  
kd10
kd10,
User Rank: Apprentice
6/25/2014 | 3:24:48 AM
Honeypot as a tool to identify and find the malware
In many cases you already have infected assets inside your organization and there are not many good tools that can find these infected assets.

A good Honeypot will halp you find the infected assets. Whether you take the attacker to court or not is another subject, but first you want to protect yourself and find the infected asset.

Check www.topspinsec.com. 
Brian Kellogg
Brian Kellogg,
User Rank: Apprentice
9/23/2014 | 10:25:13 PM
Re: ENISA and Digital Traps via Honeypots
I have to say that I'm not sure why some say honey pots pose too much of a risk to your network.  In large enough businesses you will be forced to try and protect antiquated software with unpatched vulnerabilities until such a time the business can migrate off of that software.  Vulnerabilities will always exist and a Honey Pot will help in identifying the threats on your internal network.  I think one thing we've learned over the last few years is that we can't trust our own internal networks.  Permimeter security just isn't as important as it used to be.  Getting behind the FW/IDS or whatever is a seemingly trivial hurdle for APTs.  Honey pots are a key part of the detection/identification part of a defense in depth security program IMHO.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-10072
PUBLISHED: 2023-02-04
A vulnerability classified as problematic was found in NREL api-umbrella-web 0.7.1. This vulnerability affects unknown code of the component Flash Message Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.8.0 is able to address this...
CVE-2018-25079
PUBLISHED: 2023-02-04
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3...
CVE-2023-0671
PUBLISHED: 2023-02-04
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
CVE-2023-24806
PUBLISHED: 2023-02-04
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2013-10017
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recom...