In a previous article, we gave an overview of honeypots. Here we continue the discussion, with more detailed information concerning practical implementation. Remember that a honeypot is a highly flexible tool with many different applications to security. There are versions available that specifically target malware, web services, SCADA/ICS, and other services.
There are systems with different levels of interaction. Interaction measures the activity a honeypot implementation allows the attacker. The more interaction is permitted, the more you can learn about the hacker and his intentions. However, more interaction involves more complexity in implementation and maintenance. It also increases the risk of a hacker breaking out of the honeypot container and attacking the real production systems.
A high-interaction honeypot runs an actual operating system (or systems) while a low-interaction honeypot uses emulation. Most commercial or open-source honeypot systems consist of a menu of “designer” honeypots to choose from.
The easiest approach by far is to implement a package. There are a large number available commercially (or for free!) that serve an array of needs, such as the following:
Kippo - A medium-interaction honeypot that allows you to present a pretty convincing SSH server complete with file system. Kippo records and even allows for replay of the attack.
Glastopf - A low-interaction honeypot that emulates known web vulnerabilities such as SQL injection.
Honeyd - A low-interaction honeypot that simulates multiple services and hosts on a single machine via virtualization. As a result, it presents a more convincing environment to hackers. It is based on Linux/Unix but can emulate various operating systems and services. This is important because each operating system differs in its response to messages. Since Honeyd emulates operating systems at the TCP/IP stack level, it can fool even sophistic network analysis tools such as nmap. When an attack occurs, Honeyd can passively attempt to identify the remote host. The honeyd website also provides a series of useful “Know Your Enemy” papers.
Ghost USB. - This mounts as a “ghost” USB drive to serve as a honeypot for malware that uses USB drives to replicate.
Dionaea - A Windows-based honeypot to collect malware.
The honeypots such as those mentioned above are often bundled together, along with unified reporting capabilities. These include:
HoneyDrive - This Linux distribution is a virtual appliance (OVA) with Xubuntu. It provides more than 10 pre-installed and pre-configured honeypot software packages, as well as analysis and monitoring tools.
MHN (Modern Honeypot Network) - This open source project uses a Mongo database and provides extensive tools.
KFSensor, - This is an extensive Windows-based honeypot system. This is a professional-grade system with a high price tag, but its flexibility cannot be beat.
You would spend much time installing and tuning software to match the capabilities of such comprehensive packages as KFSensor, MHN, and HoneyDrive. If that is your idea of fun, here are some considerations (https://www.sans.org/security-resources/idfaq/honeypot3.php ):
Attackers have their own countermeasures against honeypots. Be aware that attackers swap information about known honeypots. The good news is that, as we mentioned, there are many systems in use. This makes it more difficult for attackers to look for a single signature betraying the existence of a honeypot. Some experts believe that each honeypot should have a “deception port”, an open port that allows attackers to detect the honeypot. Supposedly this convinces attackers that they are dealing with a sophisticated adversary, and would deter them from pursuing their attacks.
In any case, attackers use the following to determine if they have stumbled into a honeypot . You can use this list to improve your system:
Before you initiate your honeypot you must also consider the legal implications. The main legal issues to consider when it comes to honeypots are: entrapment and privacy. This and the previous honeypot article provided a short overview of honeypots . To create and/or install a system, you will need more detailed information and a person or team with technical expertise.
Sign-up for email updates...
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us