logo
Technology

This is Why You Need Cybersecurity Honeypots!

Cybersecurity analysts have noted that the traffic of attacks on small and medium-sized businesses has increased throughout 2019, reaching unprecedented levels compared to Telnet and SSH attack traffic. It is unclear who is causing this surge as no files are being uploaded; only connections from certain countries can be identified as the main culprits.

|
Jul 09, 2023
This is Why You Need Cybersecurity Honeypots!

How can we know this? Just like how we can learn about most global cyber threats, the techniques used, the timing chosen, and the tools utilized, the answer lies in honeypots.

Honeypots are information system resources whose value lies in the unauthorized or illegal use of those resources, meaning they prove their worth when a hacker attempts to interact with them. Honeypot resources are typically disguised as network servers, appearing and feeling like legitimate servers, but in reality, they are traps used to lure unauthorized intruders.

How did analysts discover EternalRocks? It happened because of the presence of honeypots.

It's a creative game of cat and mouse that sets clever traps. The adversaries who come either try to outsmart the trap or recognize something suspicious and avoid it, or in some cases, sabotage it. This was humorously responded to by one researcher who wrote a tweet entertaining many, saying, "For those of you who know my honeypot is a honeypot, can you stop placing Pooh bear (honey) pictures on it?"

Please check the HoneyDB resource to access real-time analysis of attackers, created by honeypots that collect data from honeypot sensors deployed globally throughout the internet.

Something unique and strange in the world of network monitoring and intelligence is the myriad of justifications used by both small and large organizations. Tools and techniques are often overlooked in major Information Security standards, deemed unnecessary to be included in popular governance standards such as SANS/NIST/PCI/DSS/ISO.

Our clients rarely request or require honeypot systems in their RFPs. To me, this is confusing considering the importance and value of honeypots. Are there other cyber techniques that can provide the same level of confidence to CISOs that their networks are breach-free while providing detailed information about hosts or ports used in attacks, particularly for open or immature networks?

Generally, this task falls under the realm of SIEM teams and takes months to complete the development of use cases. This article seeks to clarify and dispel misunderstandings about honeypots. Below, I have listed some honeypot examples that are credible and worth considering for any organization, whether large or small, to include in their cyber defense systems.

Host-based: The simplest and most well-known honeypot types have a challenge in blending with the existing infrastructure, not too hot to stand out but also not too cold to be disregarded. The host name and operating system should conform to existing conventions, accompanied by a few enticing breadcrumbs to grab the attention of intruders and entice them to explore further.

The specific bait used depends entirely on your organization. Additionally, authentication requests should respond in the exact same manner as other hosts on the network, but with additional monitoring in place to generate alerts if any unauthorized login attempts are detected.

An open-source project called Artillery released by Binary Defense is one option to help configure and monitor standalone honeypots within Linux or Windows systems. It can be used in conjunction with various low to moderate interaction honeypot programs that simulate systems or services. For example, Cowrie simulates an SSH service, allowing authentication by attackers and monitors attacker activities with detailed logging and alerts.

Credential-based: Assuming the enemy is already within the network, alerts about common lateral movement techniques become crucial. Thus, expanding the honeypot concept into honey hashes can be helpful. Honey hashes involve planting fake credentials in the memory of a running system. The existence of honey hashes is entirely unknown to the system and users unless the attacker uses tools like Mimikatz to steal and reuse credentials within the environment. If the attacker attempts to use the implanted honey hash credentials, system alerts will be triggered, leading to further investigation.

To run honey hashes, a special honey account must be created that will never be used in production processes, such as a domain administrator account. This account should be configured with an extremely long random password to prevent realistic exposure to password guessing.

Simultaneously, a use case is configured in the SIEM to generate alerts for any login attempts using this account. After the honey account is set as bait, honey hashes can be implanted in systems within the environment using the New-HoneyHash.ps1 script from the EmpireProject. The PowerShell script takes parameters of domain, account name, and account password, then stores the related credentials and provided information in the Local Security Authority Subsystem Service process memory.

By placing a fake administrator domain account (but with an incorrect password) credential in the computer's memory, it becomes very tempting for adversaries searching for password information within the computer's memory. The stored credential stack and the subsequent attempts to reuse the account username and password will result in failed login activity and trigger alerts for further investigation by the SOC. A startup script, pushed via group policy, can be created to place honey hashes on multiple systems across the environment if you want to automate the process across your systems.

File-based: At the bottom of the cyber kill chain, assuming the worst-case scenario has occurred and data has been successfully exfiltrated from the organization, there are also honeypot types that can detect such scenarios. Business files that have no actual business function can be used on any production server and configured with detailed auditing to trigger alerts whenever they are accessed or used. These files should have enticing names while still adhering to naming conventions within the organization. By embedding active content within the documents, they can attempt to contact URLs or reveal the system's IP address from which the document is automatically opened, thereby exposing the attacker's identity.

Activities of this nature pose legal and logistical challenges to create trustworthy disinformation. One example is Canarytokens by Thinkst. When an MS Word or PDF document is opened, it can generate and send an email to a preconfigured email address. If the file is opened, the generated email remains invisible to the file opener. The sent email also includes other metadata, such as the opener's IP address and the specific CanaryToken used. This provides adequate data for the SOC team to conduct further investigation.

Cloud-based: This final type is an emerging field. To understand malicious activity within cloud workloads, I recommend the following honey baits across the AWS service portfolio, such as SpaceCrab, HoneyBuckets, HoneyLambda, or CanaryTokensDocker. While honeypots are a relatively old technology (read more in Cliff Stoll's article titled 'The Cuckoo's Egg: Tracking a spy through the maze of espionage'), choosing one or a mix of these easily configurable, low-cost tools will add an extra dimension to security monitoring capabilities and prove highly beneficial for defenders to better understand risks and potential direct attacks. In contexts like this, honeypots truly have sweet prospects.

Share this post

You may also like

A Brief History of the Internet
Technology

A Brief History of the Internet

I got hooked on computers when Oregon Trail was first released. Back then, if you wanted your computer to be useful, you had to manually code all your applications in BASIC or endure the tedious process of "blipping" sounds at it. The only alternative to typing hundreds of lines of code was to load pre-recorded cassette tapes with a series of "beeps," whistles, and instructions for your computer to follow when played back. You know, those pre-recorded "beep" sounds were EXACTLY what the internet sounded like when I first heard it. No, it's not a typing mistake. I heard the internet before I actually saw it. So much so that I still believe my cable internet is fake because it's always so quiet. No, I didn't hear the internet because I'm some kind of internet whisperer. We ALL heard the internet before we actually used it. Its arrival was heralded by a series of high-pitched screeches and digital buzzing that came through your telephone line. That's how

AdministratorAdministrator
|
Jul 09, 2023 9 minutes read
Introduction to SOAR
Technology

Introduction to SOAR

Info

In a sense, SOAR can truly help your CSOC feel like it has wings. SOAR is a security operations and reporting platform that leverages machine-readable data from various sources to provide management, analysis, and reporting capabilities to support cybersecurity analysts. The SOAR platform applies decision-making logic, combined with context, to provide standardized workflows and enables triage (priority assignment) of cybersecurity remediation tasks. The SOAR platform provides actionable intelligence, allowing you to stay on top of your workflows. WHAT IS THE DIFFERENCE BETWEEN SOAR AND SIEM? SIEM has been around for some time and has evolved from being a security event correlation tool to a full-fledged security analysis system. Traditionally, SIEM practices involve collecting your security logs and events to provide visibility into what is happening within your organization from a cybersecurity perspective. The evolution of the tools we use is an ongoing process, and while alerts about suspicious behavior are necessary, the primary goal is to act quickly and effectively upon those alerts. Traditional SIEM will notify you that something is

|
Jul 10, 2023 4 minutes read
Why You Need To Take Asset Inventory Seriously
Technology

Why You Need To Take Asset Inventory Seriously

If you work in cybersecurity, the saying does not apply and will get you into trouble at some point. Nobody expects you to know everything, but they expect you to know what assets you have on your corporate networks plugged into your IT infrastructure. It's the first thing I look for when speaking to an organisation for the first time. Generally speaking, the more that an organisation can tell you about their inventory of PC's, tablets, smartphones, servers, wireless access points and wireless access points, the better they are at cybersecurity. It may surprise you to discover that most organisations do not have a firm handle on their asset inventory. This is shocking in itself because asset discovery is a foundational IT security measure and it's impossible to defend your IT infrastructure unless you have an up-to-date list of what you are defending. When you learn that most companies do not maintain an active list of their assets, it's not at all surprising that so many get breached. When I

|
Jul 09, 2023 5 minutes read

Receive weekly
updates on new posts

Subscribe