A strong detection and response capability is required for the success of security program because prevention eventually fails and a motivated attacker can always find a way in. However, economics are not in favor of network security monitoring (NSM). Due to the hardware, software, and labor required it's expensive to deploy an NSM capability and hire qualified analysts to maintain and investigate the high volume of alerts, especially at scale.
In this presentation I'll discuss how honeypots are re-emerging as a practical solution for driving down the cost of network security monitoring. These aren't your traditional honeypots meant to sit outside the firewall to research automated malware. These are focused, use case specific honeypots that are designed to provide detection with a favorable signal to noise ratio. By integrating honeypots into your NSM strategy and taking a targeted approach, a grid of honeypots can realistically become your most cost effective detection tool. I'll make the case for honeypots like these and discuss implementation strategies that I've seen work. You should come away from this presentation with a unique perspective on honeypots and an actionable plan you can use to start evaluating and deploying tactical honeypots in your network.
3. Agenda
What is the history of honeypots?
Why aren’t honeypots used more?
How can I use honeypots for detection?
What are common misconceptions about
honeypots?
What honeypots can I deploy?
13. Honeypot Timeline – Formative
Years
1986
•Cliff Stoll
Creates the
SDINET
Honeypot
1989
•The
Cuckoo's
Egg
Published
1992
•An
Evening
with
Berferd
1997
•Deception
Toolkit
Released
1998
•Cyberco
p Sting
Release
d
1999
• Honeynet
Project
Begins
2003
• Honeyd
Released
2003
• Honeypots
(Sptizner)
Published
2008
• Honeynet
Project
• Monitors
MS08-067
14. Disappearance of Production
Honeypots
Reasons:
Most publications focused on research
Lack of great tooling
A lot of baggage with the term
Slow Re-emergence:
2013: Applied NSM, Chris Sanders
2015: Bring Back the Honeypots, Haroon Meer
2016+: Multiple deception vendors enter the
space
Production Research
15.
16. What is a honeypot?
A honeypot is
a security
resource
whose only
value lies in
being probed
or attacked.
Deceptive
Discoverab
le
MonitoredInteractive
17. Research Honeypots
Deceptive: Designed
to appear vulnerable
to exploitation
Discoverable:
Placed outside the
firewall on the public
internet
Interactive: Provide
high interaction
Monitored: Logged
for later review
18. Detection Honeypots
Nobody
should
ever talk
to a
honeypot
Deceptive: Appear
valuable by
representing org
resources.
Discoverable:
Placed inside the
network
Interactive: Provide
minimal interaction
Monitored:
Configured to
log/alert when
touched
19.
20.
21. Home Field Advantage
You want the attacker to SEE systems, services, or data
that are actually honeypots.
You want the attacker to THINK the honeypots are
valuable.
You want the attacker to DO something that causes an
interaction with the honeypot.
What is valuable on your network?
Attacker
Foothold
Valuable DataCompromise Path
22. SoupCorp Distribution Data
Windows Workstations
Database Server
Contains Customer
Information
Managed via SSH
Web App Server
Queries Data from DB
Server
Managed via SSH
23. SSH Honeypot
See:
A system advertising
open port 22.
Think:
It’s valuable because
it is surrounded by
other valuable servers
Do:
Scan, connect to, or
authenticate to the
SSH service
The Attacker
24. SSH Honeypot
Deceptive: A service
mimicking SSH
access to a
production system
Discoverable:
Responds to network
requests
Interactive:
Responds to
authentication
requests
Monitored:
Generates alerts on
The Honeypot
25. SoupCorp Recipe Data
File Server
Employee data
Secret soup recipes
Workstations
Mount network drives to file
server
26. File Server Honeytoken
See:
An excel file
Think:
It’s valuable
because it has an
enticing name and
is surrounded by
other valuable files
Do:
Open, copy, or
move the file
The Attacker
27. File Server Honeytoken
Deceptive: An Excel
document containing
no production data.
Discoverable: Placed
among other files on
a real network share.
Interactive: Can be
opened like a normal
excel doc.
Monitored:
Generates logs/alerts
on access, open, or
modification.
The Honeypot
28. See-Think-Do
See:
At what points on the network will the attacker
have visibility to sensitive assets?
Think:
What kind of honeypot can I deploy that will
appear valuable to the attacker?
Do:
How can the attacker interact with the honeypot in
a way that is enticing to them, and meaningful to
me?
29.
30. AWS Credential Honeypot
1. Create AWS IAM
credentials with no
permissions.
2. Setup
CloudTrail/CloudWatch to
notify on key usage
3. Spread references to
credentials in meaningful
locations.
Developer laptops
Configuration files
~/.aws/credentials
https://blog.rapid7.com/2016/11/30/early-warning-detectors-using-aws-access-keys-honeytokens/
31. Tracking E-Mail Usage
1. Create a unique e-mail
account to register for a
service.
2. Monitor the inbound e-
mail to that account.
3. Setup a rule that
forwards the e-mail to a
centralized location if it is
not from an expected
sender.
https://money.cnn.com/2016/07/07/news/presidential-candidate-sell-donor-data/index.html
https://blog.erratasec.com/2015/09/i-gave-10-to-every-presidential.html
32. DHCP Rogue Device Honeypot
1. Assign static IP
addresses in
sensitive ranges.
2. Enable DHCP for the
range, but segment
network access for
dynamic
assignments.
3. Log DHCP
assignments and
alert on assignments
in this range.
33. Honey Tables / Records
1. Create an appealing
database table with
no production value
2. Log database
queries
3. Monitor queries
containing
references to the
honeytable and alert
on access.
1. Create a
user/password
database table
2. Populate the table
with fake
credentials.
3. Monitor
authentication logs
for attempts to use
the fake credentials.
Access-Based Strategy Token-Based Strategy
34.
35.
36. Your First Honeypot
1. Browse to
https://canarytokens.or
g
2. Create a word
document honeytoken
3. Scatter it amongst
locations containing
valuable documents.
4. Wait.