Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Tech Insight: Time To Set Up That Honeypot

A combination of traditional network security monitoring and recent advancements in honeypot and active defense tools is key to detecting today's threats

Many companies are simply doing security wrong. While they might have perimeter security nailed down, they are probably failing at securing their workstations from insider abuse or have no true visibility as to what's going on within their internal networks.

There is a gross lack of situational awareness with a clear lack of being able to quickly know whether an attack is under way and to assess whether that attack was successful. The recent Verizon Data Breach Investigation Report (DBIR) provides excellent insight here, finding that most victim organizations don't discover that they've been breached for months and even years after the fact. And nearly 70 percent of them are alerted to the breach by a third party.

Where is the network security monitoring and log analysis that should be alerting these businesses? Kevin Johnson, CEO of Secure Ideas, said in a post, "Current security technologies are beginning to show significant strain. It seems as though the current defensive technologies…are not slowing the current generation of advanced threats."

With defensive security solutions not able to keep up with current threats, enterprises need to develop better detection methods -- using a combination of traditional network security monitoring (NSM) and recent advancements in honeypot and active defense tools.

NSM is a field that is reaching a relatively mature state due to the attention and recognition of its value over the past several years. If you're not sure what NSM is, then check out the Applied NSM blog and upcoming book by Chris Sanders from InGuardians for more information.

What about honeypots and all the talk surrounding active defense? Honeypots are, in the most simplistic terms, systems that are designed to be attacked. There are many different variations of honeypots and what services they offer (i.e. HTTP, SMTP, SSH, etc.). They also vary in the level of management, or interaction, that they require, but the common theme is that they are there to be attacked so the person running the honeypot can get better insight into what the attackers are doing.

Active defense takes the idea of honeypots further by attempting to operationalize them so that attacks can be identified quickly and security teams can respond quickly. Essentially, the honeypots become early warning detection systems that identify attacks that traditional defense systems might miss.

There are two problems, however, with honeypots and active defense that has given them a bad rap. The first is that honeypots are often seen as a waste of time because there has never been an easy way to integrate them into enterprise environment and truly leverage their attack detection capabilities.

Second, active defense -- while helping to realize the true value of honeypots -- is often confused with hacking back (or attacking the attacker) because of articles that focus more on active defense practices that attempt to confuse, annoy, and even exploit flaws in the tools used by attackers.

Thanks to a resurgence in honeypot interest, there are new projects that make it much easier for security professionals to deploy honeypots and leverage them within their existing security infrastructure. Artillery, from TrustedSec, is an excellent example. It can be deployed on a standalone system or an existing server. Once deployed, it listens on commonly attacked network ports. Any attempted attacks are blocked and reported. Additionally, it gets data from the TrustedSec intelligence feed and will block connections from previously identified attackers.

Project Nova is another newer honeypot project that took the very popular, but no longer developed, honeyd, and updated and enhanced it, created a dashboard and wrapper around honeyd, and made it easy to deploy many honeypots at one time -- all from the same host. Those honeypots can be made to look similar to existing systems on the network and act as decoys to the real systems. A machine learning algorithm helps determine whether systems are hostile or benign, and alert appropriately.

Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.

In addition to the traditional honeypot solutions that are simply designed to be attacked, ADHD includes active defense tools that intend to slow down attackers and allow for detection, or to annoy them to where they're more likely to make a mistake and get caught. Just be sure you've considered the consequences of what annoying an attacker could lead to; an angry attacker may quickly become a maliciously destructive attacker causing massive system failures and data loss.

The important thing to remember is that the solution you select needs to have its logs and alerting output added as sources to the existing SIEM or log analysis system. This will provide the notifications and bring back around the aspect of using honeypots as an early warning system. ADHD is a good choice to get started with because it contains a large number of tools and today saw the newest version, 0.5.0, uploaded to SourceForge.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Jonathan Cramer
Jonathan Cramer,
User Rank: Apprentice
4/29/2013 | 2:46:09 PM
re: Tech Insight: Time To Set Up That Honeypot
If your honeypot is capable of attacking other systems, then you're doing it wrong.

As for hardening, that's a great idea in theory but it only goes so far. Honeypots are cheap and easy to deploy.

You should definitely read through the link that Lukas included to learn more about what honeypots really are.
Todd Bell
Todd Bell,
User Rank: Apprentice
4/29/2013 | 2:02:54 PM
re: Tech Insight: Time To Set Up That Honeypot
I am not fan for Honeypots for a couple reasons. One the legal ramifications if a Honeypot is used to attack another system, and two, I strongly feel the time & resources spent should be used to harden the existing infrastructure.
Lukas Rist
Lukas Rist,
User Rank: Apprentice
4/29/2013 | 9:24:15 AM
re: Tech Insight: Time To Set Up That Honeypot
Must read before writing about honeypots: http://www.enisa.europa.eu/act...
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-16
IBM Sterling File Gateway through is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.