My next class:

What Was Old is New Again: Honeypots!

Published: 2015-08-10. Last Updated: 2015-08-10 15:58:44 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Here at the ISC, we operate a number of honeypots. So it is nice to see how honeypots in different shapes are starting to become popular again, with even a couple of startups specializing in honeypot solutions. Back around 2001, we had products like Symantec's "Mantrap", open source efforts like the Deception Toolkit, and of course the Honeynet project.

I don't think honeypots ever "went away" (after all, we have been running a few, and the honeynet project still has a some great tools and such to run them). But honeypots never really caught on in enterprise networks. I think there were several reasons for that: First of all, pretty much all honeypots are pretty easy to discover, and typically do not deceive the more advanced attackers enterprises are most afraid about. Secondly, a good honeypot deployment, in particular if it involves difficult to detect "full interaction" honeypots, can be difficult to manage. Lastly, enterprises dont want to be accused of "inviting" an attacker by providing "honey" to trap them.

More recently, a couple of companies sprung up to solve some of these problems. They offer either an "outsourced" honeypot (or better "deception") solution and redirect traffic from your network to their honeypot, or they leverage virtualization to make honeypots easier to deploy and manage across an existing network. In addition, they also make it easier to collect indicators from honeypots and deploy them using existing enterprise security solutions.

At Blackhat, a couple of talks focused on these newer "Deception" technologies (this is what they call honeypots these days):

Breaking Honeypots for Fun and Profit (by several people from Cymmetria)

Must read for anybody deploying low interaction honeypots. These honeypots are simple (and of course imperfect) simulations of existing systems. For example Kippo and Dioneah. If you run one of these honeypots, you should check out the techniques outlined in the talk. It shouldn't be too hard to adapt your honeypot to evade these detection techniques. 

Bring Back the Honeypots (Haroon Meer and Marco Slaviero)

This talk gives a good summary of more modern honeypots and honey tokens. If you are familiar with John Strands ADHD Linux distribution, you may already know about things like booby trapped documents.

Other talks do not deal directly with honeypot deployment, but instead presented results collected from honeypots. Honeypots in our experience have been very helpful in emulating "IoT" devices, and so it is no surprise that SCADA security research takes advantage of honeypots to detect and measure attack activity.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
2 comment(s)
My next class:

Comments

One of the tools we've been looking at recently is the Botsink product by Attivo. I'm lacking budget at the moment but it's an impressive product. It's the sort of thing I was intending to, someday, build using opensource tools but it's already a lot nicer than what I was figuring on building.
I think Honeypot remains a great product, but largely underused due to political concerns. Two mains reason I know is is getting buyoff from higher management and finding a group to administer them. One concern is about honeypot being compromised by an attacker and used as a foothold.

I strongly suggest internal honeypot; especially if an enterprise is extremely large and had servers span across the globe. One great approach is to work with the higher management of the red team; they would have a better idea of the sensitive system in the network. Having internal honeypots would help a lot to identify malicious traffic. Attackers using compromised footholds can be picked up if they attempt lateral movements and end up hitting those honeypots. If these honeypots started to make outbound communication for reasons they are not supposed to, it should also help to uncover a targeted attacks that likely go undetected at the perimeters.

Diary Archives