Researchers have built a free open-source honeypot software program aimed at propelling the hacker decoys into security weapons for everyday organizations.
The Modern Honey Network (MHN) software, created by the Google Ventures-backed startup ThreatStream, automates much of the process of setting up and monitoring honeypots, as well as gleaning threat intelligence from them. An API allows it to integrate with IDSes, IPSes, application-layer firewalls, SIEM, and other security tools to set up defenses against attacks it detects.
Honeypots -- basically lures posing as machines that let organizations gather intelligence and study the behaviors of attackers -- long have been a popular and valuable tool for security researchers. There are plenty of open-source honeypot tools available today, but the high maintenance and complexity of deploying and running these lures have made them unrealistic security options for most businesses.
"Honeypots have never truly taken off in the enterprise," says Greg Martin, CEO of ThreatStream, which provides a software-as-a-service threat intelligence system for large organizations like Northrop Grumman and SAIC. The goal of MHN is to simplify honeypot deployment and ultimately to make these tools a mainstream, inherent part of the security arsenal for companies in various industries.
"You can deploy 29 honeypots with the click of a button" with the open-source tool, Martin says. "With a VMware server, you can do 30 or 40."
[A staple of the computer-security toolbox for more than two decades, honeypots can provide companies with unique benefits. Read 5 Reasons Every Company Should Have A Honeypot.]
Jason Trost, senior analytics engineer with ThreatStream and formerly with the Department of Defense and Sandia National Labs, says installing and managing honeypots has been harder than it should be. That's what inspired him to lead the development of MHN, which uses several open-source honeypots, including that of Snort's sensor and honeypots Dionaea, Conpot, Shiva, and Nepenthes, as well as the MongoDB database and The Honeynet Project's Honey Map, which provides geographic visualization of attacks and malicious activity captured by honeypots.
"There are organizations that have the expertise" to use honeypots, Trost says. "But honeypots are not done in the mainstream, because they are time-consuming. I hope this [MHN] lowers the bar to do that."
The tool can be used for two basic types of honeypot setups: outside the organization to monitor Internet-wide threats and inside the organization, behind the firewall, to monitor targeted attacks or insider threats. "If you have a honeypot inside and see attacks on it, it's an amazing way to catch an APT from the inside," Martin says.
According to SANS, honeypots can help if they're deployed properly. "However, it can also cause a decrease in an organization's security by being more attractive to worms or attacks," SANS says in its honeypot guide for enterprises. "Therefore, an organization must clearly define the risks it wants to reduce with a honeypot and the requirements for accomplishing this. Then, any deployment can be tested to make sure it benefits the organization."
Deploying a "high interaction" honeypot is especially risky. The Russian researcher Alexey Sintsov learned this the hard way: He ran an experimental honeypot on the DEFCON Russia website he manages in order to counterattack and gather attacker information such as network adapter settings, trace routes, and login names. But Sintsov got more than he bargained for; he found that he had hit the desktop of an intelligence agency from a nation that was formerly part of the Soviet Union. He later uninstalled the honeypot.
But the open-source MHN is a so-called low interaction honeypot, meaning that it merely gathers information and doesn't hack back, so the risks of exposure are minimal. "Risks of honeypots are very much a misconception," Martin says. "Honeypots that make parts of your [infrastructure] look vulnerable, yes, but the benefit is having that attacker intelligence. If they see the honeypot, they are already scanning and looking. That intel outweighs any risks you're introducing by making you look vulnerable."
Plus, honeypots are hardened by design, he says.
MHN, meanwhile, can be used with a little crowdsourcing, too. "We've created a public server that pulls together intelligence [the systems gather], and you have the option to crowdsource the information," Martin says. ThreatStream ultimately plans to share attack trends publicly: which countries are hosting the attacks and where DDoS attacks are occurring, for instance. "You can create a huge cyber weather map."
The free honeypot tool is available here for download.