This is Why You Need Cybersecurity Honeypots!
Cybersecurity analysts have noted that the traffic of attacks on small and medium-sized businesses has increased throughout 2019, reaching unprecedented levels compared to Telnet and SSH attack traffic. It is unclear who is causing this surge as no files are being uploaded; only connections from certain countries can be identified as the main culprits.
How can we know this? Just like how we can learn about most global cyber threats, the techniques used, the timing chosen, and the tools utilized, the answer lies in honeypots.
Honeypots are information system resources whose value lies in the unauthorized or illegal use of those resources, meaning they prove their worth when a hacker attempts to interact with them. Honeypot resources are typically disguised as network servers, appearing and feeling like legitimate servers, but in reality, they are traps used to lure unauthorized intruders.
How did analysts discover EternalRocks? It happened because of the presence of honeypots.
It's a creative game of cat and mouse that sets clever traps. The adversaries who come either try to outsmart the trap or recognize something suspicious and avoid it, or in some cases, sabotage it. This was humorously responded to by one researcher who wrote a tweet entertaining many, saying, "For those of you who know my honeypot is a honeypot, can you stop placing Pooh bear (honey) pictures on it?"
Please check the HoneyDB resource to access real-time analysis of attackers, created by honeypots that collect data from honeypot sensors deployed globally throughout the internet.
Something unique and strange in the world of network monitoring and intelligence is the myriad of justifications used by both small and large organizations. Tools and techniques are often overlooked in major Information Security standards, deemed unnecessary to be included in popular governance standards such as SANS/NIST/PCI/DSS/ISO.
Our clients rarely request or require honeypot systems in their RFPs. To me, this is confusing considering the importance and value of honeypots. Are there other cyber techniques that can provide the same level of confidence to CISOs that their networks are breach-free while providing detailed information about hosts or ports used in attacks, particularly for open or immature networks?
Generally, this task falls under the realm of SIEM teams and takes months to complete the development of use cases. This article seeks to clarify and dispel misunderstandings about honeypots. Below, I have listed some honeypot examples that are credible and worth considering for any organization, whether large or small, to include in their cyber defense systems.
Host-based: The simplest and most well-known honeypot types have a challenge in blending with the existing infrastructure, not too hot to stand out but also not too cold to be disregarded. The host name and operating system should conform to existing conventions, accompanied by a few enticing breadcrumbs to grab the attention of intruders and entice them to explore further.
The specific bait used depends entirely on your organization. Additionally, authentication requests should respond in the exact same manner as other hosts on the network, but with additional monitoring in place to generate alerts if any unauthorized login attempts are detected.
An open-source project called Artillery released by Binary Defense is one option to help configure and monitor standalone honeypots within Linux or Windows systems. It can be used in conjunction with various low to moderate interaction honeypot programs that simulate systems or services. For example, Cowrie simulates an SSH service, allowing authentication by attackers and monitors attacker activities with detailed logging and alerts.
Credential-based: Assuming the enemy is already within the network, alerts about common lateral movement techniques become crucial. Thus, expanding the honeypot concept into honey hashes can be helpful. Honey hashes involve planting fake credentials in the memory of a running system. The existence of honey hashes is entirely unknown to the system and users unless the attacker uses tools like Mimikatz to steal and reuse credentials within the environment. If the attacker attempts to use the implanted honey hash credentials, system alerts will be triggered, leading to further investigation.
To run honey hashes, a special honey account must be created that will never be used in production processes, such as a domain administrator account. This account should be configured with an extremely long random password to prevent realistic exposure to password guessing.
Simultaneously, a use case is configured in the SIEM to generate alerts for any login attempts using this account. After the honey account is set as bait, honey hashes can be implanted in systems within the environment using the New-HoneyHash.ps1 script from the EmpireProject. The PowerShell script takes parameters of domain, account name, and account password, then stores the related credentials and provided information in the Local Security Authority Subsystem Service process memory.
By placing a fake administrator domain account (but with an incorrect password) credential in the computer's memory, it becomes very tempting for adversaries searching for password information within the computer's memory. The stored credential stack and the subsequent attempts to reuse the account username and password will result in failed login activity and trigger alerts for further investigation by the SOC. A startup script, pushed via group policy, can be created to place honey hashes on multiple systems across the environment if you want to automate the process across your systems.
File-based: At the bottom of the cyber kill chain, assuming the worst-case scenario has occurred and data has been successfully exfiltrated from the organization, there are also honeypot types that can detect such scenarios. Business files that have no actual business function can be used on any production server and configured with detailed auditing to trigger alerts whenever they are accessed or used. These files should have enticing names while still adhering to naming conventions within the organization. By embedding active content within the documents, they can attempt to contact URLs or reveal the system's IP address from which the document is automatically opened, thereby exposing the attacker's identity.
Activities of this nature pose legal and logistical challenges to create trustworthy disinformation. One example is Canarytokens by Thinkst. When an MS Word or PDF document is opened, it can generate and send an email to a preconfigured email address. If the file is opened, the generated email remains invisible to the file opener. The sent email also includes other metadata, such as the opener's IP address and the specific CanaryToken used. This provides adequate data for the SOC team to conduct further investigation.
Cloud-based: This final type is an emerging field. To understand malicious activity within cloud workloads, I recommend the following honey baits across the AWS service portfolio, such as SpaceCrab, HoneyBuckets, HoneyLambda, or CanaryTokensDocker. While honeypots are a relatively old technology (read more in Cliff Stoll's article titled 'The Cuckoo's Egg: Tracking a spy through the maze of espionage'), choosing one or a mix of these easily configurable, low-cost tools will add an extra dimension to security monitoring capabilities and prove highly beneficial for defenders to better understand risks and potential direct attacks. In contexts like this, honeypots truly have sweet prospects.