In a previous article, we gave an overview of honeypots. Here we continue the discussion, with more detailed information concerning practical implementation. Remember that a honeypot is a highly flexible tool with many different applications to security. There are versions available that specifically target malware, web services, SCADA/ICS, and other services.
Determining the proper level of interaction
There are systems with different levels of interaction. Interaction measures the activity a honeypot implementation allows the attacker. The more interaction is permitted, the more you can learn about the hacker and his intentions. However, more interaction involves more complexity in implementation and maintenance. It also increases the risk of a hacker breaking out of the honeypot container and attacking the real production systems.
A high-interaction honeypot runs an actual operating system (or systems) while a low-interaction honeypot uses emulation. Most commercial or open-source honeypot systems consist of a menu of “designer” honeypots to choose from.
Types of Honeypot Packages
The easiest approach by far is to implement a package. There are a large number available commercially (or for free!) that serve an array of needs, such as the following:
Kippo - A medium-interaction honeypot that allows you to present a pretty convincing SSH server complete with file system. Kippo records and even allows for replay of the attack.
Glastopf - A low-interaction honeypot that emulates known web vulnerabilities such as SQL injection.
Honeyd - A low-interaction honeypot that simulates multiple services and hosts on a single machine via virtualization. As a result, it presents a more convincing environment to hackers. It is based on Linux/Unix but can emulate various operating systems and services. This is important because each operating system differs in its response to messages. Since Honeyd emulates operating systems at the TCP/IP stack level, it can fool even sophistic network analysis tools such as nmap. When an attack occurs, Honeyd can passively attempt to identify the remote host. The honeyd website also provides a series of useful “Know Your Enemy” papers.
Thug - A client-side honeypot (honeyclient) that emulates a web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.
Ghost USB. - This mounts as a “ghost” USB drive to serve as a honeypot for malware that uses USB drives to replicate.
Dionaea - A Windows-based honeypot to collect malware.
Discover how WebTitan works to protect your business from advanced security threats.
Comprehensive Honeypot Packages
The honeypots such as those mentioned above are often bundled together, along with unified reporting capabilities. These include:
HoneyDrive - This Linux distribution is a virtual appliance (OVA) with Xubuntu. It provides more than 10 pre-installed and pre-configured honeypot software packages, as well as analysis and monitoring tools.
MHN (Modern Honeypot Network) - This open source project uses a Mongo database and provides extensive tools.
KFSensor, - This is an extensive Windows-based honeypot system. This is a professional-grade system with a high price tag, but its flexibility cannot be beat.
Building your own honeypot system
You would spend much time installing and tuning software to match the capabilities of such comprehensive packages as KFSensor, MHN, and HoneyDrive. If that is your idea of fun, here are some considerations (https://www.sans.org/security-resources/idfaq/honeypot3.php ):
- Log all packets going to and from the honeypot system. Consider that there is no legitimate reason for any such traffic.
- Use a protocol analyzer such as Wireshark to analyze the attacks. You will want to focus on the packets transiting between the firewall and the honeypot. Be warned that this requires a large amount of disk space. Use the filtering capabilities of the protocol analyzer to minimize capture size. Keep the intruder packets’ order, sequence, time stamps, and packet type since these are important clues to the intruder’s intentions.
- For a Linux system, make sure that you includes syslogd so that you can log onto a remote server.
- Utilize the firewall’s notification capabilities to send you alerts when traffic occurs to or from your honeypot.
Discover how WebTitan works to protect your business from advanced security threats.
Honeypot Detection by Attackers
Attackers have their own countermeasures against honeypots. Be aware that attackers swap information about known honeypots. The good news is that, as we mentioned, there are many systems in use. This makes it more difficult for attackers to look for a single signature betraying the existence of a honeypot. Some experts believe that each honeypot should have a “deception port”, an open port that allows attackers to detect the honeypot. Supposedly this convinces attackers that they are dealing with a sophisticated adversary, and would deter them from pursuing their attacks.
In any case, attackers use the following to determine if they have stumbled into a honeypot . You can use this list to improve your system:
- There is little or no activity in the system.
- A system is too easy to hack.
- Unusual services and/or ports are open.
- Operating systems and software have been installed using the defaults.
- File and folder names are too obviously attractive, for example, a file called "social security numbers".
- There is very little software installed.
Still Want to Install Honeypots?
Before you initiate your honeypot you must also consider the legal implications. The main legal issues to consider when it comes to honeypots are: entrapment and privacy. This and the previous honeypot article provided a short overview of honeypots . To create and/or install a system, you will need more detailed information and a person or team with technical expertise.