honeypot security

Honeypot Security: Identifying Active Hackers Through Honeypot Deception

Every security expert has a perspective on what (and who) poses the biggest network security threats: cybercriminals, lone hackers, hacktivists, insiders, compromised workstations, and even nation-states. But with so many traffic requests making their way to your corporate network, it can be hard to distinguish attackers from legitimate visitors.

While security information and event management (SIEM) suites are getting more sophisticated at mining and finding those needles in a haystack, many in the industry are revisiting a technology that has been around for years but received very little mainstream deployment from corporations: honeypots.

In fact, companies in the SIEM and managed security service provider (MSSP) industry have taken notice and recognized the value of honeypot traps for threat intelligence. Some have begun to either integrate support into their product offerings, or are providing honeypots as a managed platform within a larger security offering.

Honeypots Increase Visibility to See Enemies Clearly

Honeypots in a corporate network can provide visibility like no other solution can. By its very nature, a honeypot trap deployed on a corporate network is not providing any production business service. Therefore, the mere fact that someone attempts to interact with it is valuable threat intelligence alone. The activity tells you that someone is probing your network and systems. SIEMs can correlate the source address of the attacks with other events to raise risk levels and keep staff on high alert for events that may otherwise be interpreted as noise.

Honeypots deployed to prevent infiltration from bad guys, referred to as low interaction honeypots, have other benefits as well.  It’s tough for a malicious hacker to know they’re targeting a honeypot. They may just think you have a very hardened system, and that may compel them to try even harder to break through. While they attempt to crack through the system, you can “see” them, but they won’t know you’re watching. So, they can get bogged down attempting to break into a system that ultimately has no value, and end up spending less time hacking away at your real assets.

Are honeypots geared toward internal as well as external threats? Most people start by thinking about deploying honeypots as an Internet-facing solution first. However, imagine the immediate value of deploying them inside your network on sensitive or user-network segments.

Do you have malware crawling your network? Is there a malicious insider looking for systems to attack? Or has a system already been compromised and someone is “looking around”? Honeypots deployed inside your network can make these types of activities stand out and alert security staff without tipping off hackers– all because the deployed honeypot has no legitimate service that should ever be accessed. Therein lies the first advantage in the fight: spotting the bad guys without them knowing you already know they’re there.

More Lessons to be Learned

From my experience, there is still a lot more than can be learned from these deceptive systems and several questions left unanswered.

For instance, how are hackers attacking your network?  If you see an attack and block an IP (commonly called IP shunning), does the attack truly stop, or do they just rotate to another IP?  And what about geolocation? Where in the world are the attacks coming from? If you only conduct business in one country, would blocking other countries buy you additional protection (a technique called geofencing)?

We have seen firsthand on our honeypots that attacks come from all over the world – not only from Europe and Asia, but truly from every country. From our honeypot, it is also clear that attacks come from distributed botnets — an army of remotely controlled computers compromised around the world.

Firewall administrators love IP shunning. They configure a rule and feel that they’ve stopped the attack.  However, from our experience, IP shunning isn’t effective. Blocking an IP causes the attacker, and in many cases, the attacking country, to change very quickly and pick up where the other attack left off. This can be seen so clearly in honeypot data that in password guessing attacks, for example, you can see the new IP pick up with the next password in an ordered list. While geofencing (blocking IPs by geographic location) does help, it doesn’t help as much as security professionals would hope. For instance, blocking attacks from all countries except within the U.S. simply means that attacks will begin coming from within the U.S. quite quickly.

Proof the Internet-of-Things (IoT) Is a Target

This year there was at least one high-profile attack that was attributed to what appeared to be a botnet of IoT devices. Since its deployment, our honeypot captured first-hand evidence that the criminals were targeting these systems. Services to mimic management protocols on a myriad of devices were used, and attacks started coming almost within an hour of exposing these devices to the Internet.

A long list of default passwords was the first to hit. Interestingly, SSH was more of a target than web servers. The bad guys wanted command-line access. This line of attack provided the opportunity to capture the attacker’s password lists and see what log-in credentials they really were trying to use.

Passwords for home devices like “admin,” with no password common to home routers, and “vyatta/vyatta” for some virtual solutions popped up in logs. Corporate passwords such as “oracle/oracle” were also seen. But attackers also targeted solutions that could be related to IoT devices and home-brewed solutions like Raspbery Pis, very common in the embedded hobby world, with its default passwords.

Those in the security community were not left out. The very popular Kali Linux build used by penetration testers and hackers worldwide was also targeted. Kali’s default root password also showed up frequently.

The takeaway from this: as the security world predicts, hackers are not only going after corporations but also home users. The more systems of any kind they compromise, the better. If they don’t find sensitive information, they’ll at least have another node in their botnet army. Oh, and the biggest takeaway from the passwords found by the honeypot —please change those default passwords!

Summary and Next Steps

This article briefly scratched the surface on the great actionable intelligence which can be gained from having honeypots on your network. From the theoretical versus real-world perspective, the intelligence honeypots provide is specific to threats that are active – the attack sources you really need to pay close attention to – against your network.

You might be thinking to yourself, “Okay, I see the value honeypots offer, but how do I incorporate this into our security program?”

The first step we’d suggest would be to talk to your managed security provider or SIEM vendor and see what options they offer. Ask if they offer or integrate with a solution, what honeypots they support, and if they can assist with configuration and tuning. Consider deploying both an Internet-facing and internal honeypot that simulates the kinds of real systems you have in place so the target looks authentic. Also, make sure that all the valuable threat intelligence that is collected is put to good use by correlating it with your other security events to see the complete picture of attacks against your network.