Honeypots – Not Just For Winnie the Pooh

It doesn’t take long for someone to be in their career as a security professional before they hear of the term “Honeypot”. But, for those that aren’t security professionals, a Honeypot is an isolated, publicly accessible network segment that is set up to entrap potential attackers. It’s purpose is to act as an early warning system to the organization that set it up so that they know that an attack is coming or, and this can be more important depending on the organization, you can use it to see brand new Zero Day Exploits.

Now, while the Honeypot is a great way to be proactive in dealing with potential attackers, I very seldom see companies setting them up. And the thing is that they don’t have to be expensive. In fact, you actually want it to almost look like a Test/Dev environment so that it has holes that an external entity can take advantage of them. Maybe too many companies have “holey” exterior segments already and adding one more just makes them feel bad.

But, simply put, all you want to do is have an external segment set up that can not be used to tunnel back into the enterprise. Put in an unpatched couple of servers in that segment that are of the same base configuration that you have internally, put this segment behind a firewall that allows external traffic in using things like HTTP and you have your Honeypot network segment all set.

Oh, and one more thing. You want to monitor the bejesus out of it. Remember, this network segment is your early warning system, even more so than any of your DMZ zones. So put your SIEM agents in place and lock down the logging capability. Put in place your Anti-Virus capabilities as well as a NIDS and then Bob’s your uncle. But a couple of things before you do this.

Remember, a Zero Day attack isn’t going to trigger your Anti-Virus solution simply because, by it’s nature, there won’t be any signatures around that the AV can use. Remember, an attacker that is coming for your environment is going to be looking for things like NIDS simply because everyone has one. And your logs? Well, any attacker worth their salt will erase their presence in the logs before they leave. So what do you do?

Well, for your logs, you have one very important advantage. You know that the Honeypot isn’t meant as a production system. So ANY change to the environment means that something has happened. Think of it like having a muddy floor that someone has to walk across. If the someone goes across your muddy floor, then their footprints will show up. If there aren’t any footprints, then you’re pretty sure no one has been in there.

Your NIDS? Well, I remember having a conversation with someone years ago about a really good way to implement a NIDS. The vast majority of ways to get into an environment involve trying to find IP addresses that are in place. A NIDS will, even if it’s passing traffic through it, have IP addresses associated with them. So, rather than having IP addresses, have just MAC addresses and then an out-of-band port that you connect to for management. All of a sudden, the NIDS doesn’t have any fingerprint on the network that someone can see.

And Anti-Virus? Well, the AV is there because it’s expected to be there. But you want to take a hash of the OS once you’ve put it in place. Then, check it regularly to see if the hash has changed. Since it’s not supposed to change, any change in the hash will mean something has happened.

Use your Honeypot to show your non-security people what is potentially happening in the real world. When their eye’s open up wide with realization, you know they will understand. But sometimes the proof is only found in the pudding. Or, in this case, the Honeypot.

Hope this helps …

Neil

Leave a Reply

Your email address will not be published. Required fields are marked *