Honeypots: Is This Thing On?

Honeypots once were a dying technology. In the age of generic anti-virus, a device that did not show immediate results wasn’t well received by most I.T. that had trouble understanding the security benefits behind the stealthy device. The truth of the matter is these honeypots are one of the most powerful internal detection mechanisms a network can have. A fully configured honeypot can help detect and stop a full blown internal attack.A honeypot is a networked device that appears to contain valuable and/or vulnerable data that waits for someone to act on it. Whether a threat actor tries to login to the interface, scans the device using a scanning tool, or attempts to access anything on the device such as a file, the alerting component will instantly inform your team that something threatening is happening. The beauty of a honeypot is that no matter what the alert is for, it’s either a legitimate attack or a user poking around on a network Topics: where they shouldn’t be. This is not in any way a noisy device, all notifications from a honeypot can and should be acted upon.

Setting up your Honeypot

One of the biggest arguments against honeypots that we hear is the fact that something that costs so much should be producing results daily rather than possibly never. The fact is, there are a few opensource honeypots made by the same teams that sell them for a high price. Here at NetWorks Group, we’ve had the best experience with Open Canary (https://github.com/thinkst/opencanary). You may be asking, why would we pay thousands of dollars for a possibly free honeypot platform from GitHub? When it comes down to configuration and deployment of your own honeypot, the complex part is knowing what an attacker is looking for and what will trick the attacker into thinking this a legitimate device. Honeypots services and products are built to be tweaked correctly and all you have to do is plug it into the network. The Open Canary configuration can be a challenging task but with the right modifications, your company can have a fully functioning honeypot that may as well be a file server waiting to be hacked.

Screenshot of what a honeypot should like through an attackers’ eyes

Is a Honeypot Right for My Company?

Any added layer of security on a company network is an excellent choice. If that added layer of security is a honeypot, it makes it even better from a final detection layer perspective. Having a well-configured honeypot is invaluable to any company that wants to detect and stop attacks. If a dedicated security team is able to domain join a honeypot, run your own vulnerability scan against it, and configure real-time alerting, we would highly suggest every company deploy at least a handful of these devices.

My honeypot is set up, now what?

As an added bonus, you can equip honeypots with tools that will make any attacker/ethical hackers day much worse. Loading tools such as Malware code detector or Responder poisoning onto your honeypot will slow down attacker significantly and provide clear detection capabilities. Many defensive tools related to honeypots can be found across the open source community as well! (https://github.com/paralax/awesome-honeypots#honeyd) Tools such as Responder and Bloodhound are notorious for giving hackers an “easy win” which usually leads into accessing a domain admin account on the network. If you are not only able to detect these tools but also stop these tools from running successfully and can trick them into thinking they have legitimate data, you bought yourself more time to completely taking them off the network. Happy hunting!