Honeypots: helping us understand the enemy
A honeypot is a “false” environment, that has the goal to deceive attackers and unauthorized users and lure them away from the company’s network. The Honeypot works as a real system, service, or network with non-valuable and non-legitimate information; this way, the attacker gets fooled into wasting his time attacking and accessing the network; and the company’s data and assets are protected, and because all the activity in the Honeypot environment has been monitored and recorded; we can use this information about how the attacks are carried to help us improve the security of our systems and identify the weak points on the environment.
Choosing the Honey & putting it out in the wild
Honeypots can be classified by how much an attacker is able to interact with the network, command, and application when it is trapped on. These classifications are as follows:
- Low-Interaction Honeypots (LIHP)
- Medium-Interaction Honeypots (MIHP)
- High-Interaction Honeypots (HIHP)
LIHP: simulates or emulates services that are commonly requested by attackers, these types of honeypots don’t use an OS and are less complex; therefore, they are easy to deploy and maintain and consequently collect just basic information about the attack. LIHP doesn’t keep the attacker engage for very long and getting in-depth information on an attacker’s habits is more difficult.
MIHP: Still doesn’t use an OS but emulates aspects of the application layer, they usually keep the attacker for longer periods of time and are more complex than LIHP.
HIHP: This Honeypot offers an OS for the attacker to inquire about. This causes HP to be more complex and more expensive to maintain because they usually mimic a full production environment with many services. Because LIHP and MIHP use a less complex deployment they have a lower risk of compromising the real environment than HIHP, where the risk of compromise is higher due to how similar the HP and the environment are. As a tradeoff, the information that it gathers about an attacker’s habits and techniques is detailed and useful.
In addition, honeypots can be further classified by their function, the two examples are Production and Research Honeypots:
Research Honeypots: Used to gather information about attacks trends, tactics, techniques, and procedures. Specifically for studying attacker behaviors. RH looks at both your environment and the internet. Many HHIHP are Research HP
Production Honeypots: Used mainly by companies and deploy on the company’s production servers running systems that are normally run on the organization environment. They help deceive the attacker and alert the admins about the activity. Here we can find LIHP or MIHP
We can further classify Honeypots based on the additional tech they implement, in this category we can find the following:
Choosing the right weapon to attack
When deploying a Honeypot there are a few considerations you must ponder to choose the right tool for the job. The best starting point would be to consider; what we want to get from the Honeypot, if our goal is to know about the attackers’ protocols, the source of the attack, and some passwords and usernames used by them; while, keeping the cost and the maintenance to operate low; then, LIHP or MIHP are the option to consider and because they are less complex the probability of it compromising the real environment is very low. When deploying a HIHP we have to consider that these systems usually mirror production systems; so they are configured to utilize extensive services, this makes them very costly because of the devices that are required to work, and also the use of more computers and services means that a lot of manpower is going to be required for configuring, deploying, monitoring and fixing the Honeypot, and because they are built to be as similar as the system that is imitating, means that a great risk exists of the attacker to use the system as a staging point for attacks against the real environment. HIHPs are meanly used for intelligence gathering and study purposes.
LIHP can be deployed on a virtual machine or run on a container while HIHP is usually deployed on various Virtual Machines or Physical devices with a lot of services installed on them.
Is this the real life?
So how does a Honeypot look in real life? The following is a brief explanation of the mental process used to deploy a Honeypot.
- Decide the layout for the implementation. Here, network design must be taken into consideration and how the Honeypot interacts with the outside and the internal network. We want to allow an attacker to use it but we don’t want them to have access to the Internal Network
- Choose what kind of Honeypot to deploy, for example, Dionaea is an excellent LIHP able to detect protocols like SMB, HTTP, FTP, Microsoft SQL Server, VoIP, etc. Remember to take into consideration what you want to learn from it.
- Decide how to deploy the Honeypot, would it be hosted on a VM or a container using Dockers or installed directly on a physical machine Would it be installed on the Environment network or separate from it?
- Once the Honeypot has been put into place, is time to wait for some traffic to flow. This can take weeks or even months. We can’t control how often our services get attacked.
- After some time, we retrieve the logs and analyze them. The following is the result of a study by the University of Aalborg on Denmark using the Dionaea tool.
Here is a little example of what information we can retrieve with a Honeypot, is worth taking into consideration that this is just one example of one tool.
Conclusion
Honeypots are a means to an end; they provide an extra layer of security but don’t replace existing tools like EDRs or SIEMs. They work beside them to offer the user a better understanding of the inevitable threats that appear every day and getting to know the enemy is an excellent tool to achieve a more secure environment.