There are many benefits of honeypots, and all organizations should take the time to set them up. Honeypots are designed to catch a hacker’s eye so that their efforts will be drawn to attacking your honeypot rather than a system where they could cause some serious harm.
There are many benefits of honeypots!
A honeypot is a system that is set up with the singular purpose of being attacked. It is a system designed to be exploited, hacked, infected with malware, and generally abused by a malicious third party. Why should I do that you may ask? Well, there are many benefits.
You may wonder why you should spend your time, effort, and money setting up a system that will attract hackers? Why you should deliberately create a system with weakened defenses that will be exploited? Why even attract interest from malicious third parties?
There are three very good reasons why you should. First. You will be wasting a hacker’s time, and time spent attacking a system that is safe is time not spent hacking a system that will damage your organization if the hacker succeeds.
Secondly, by setting up a honeypot you will be able to see who is attacking you and the methods that are being used. This will give you a very good idea of the types and robustness of the defenses you need to install to protect your real systems and data from attack.
Thirdly, an attack on a honeypot is likely to frustrate a hacker and stop them from hacking your real computer systems.
Security researchers are well aware of the benefits of honeypots. They have been vital in the study of hackers’ behavior. They can be used to determine how systems are attacked and are also a very useful part of a system’s defenses. It is not a question of whether you should set up a honeypot, but rather why you have not already done so.
There are many different types that can be implemented. You can set up a dummy system with an entire network topology if you wish. You can have many different hosts, you can include a wide range of services, and even different operating systems. In short, an entire system can be set up to be attacked.
There are many options, but we have listed two popular honeypots below: Honeyd and Kippo.
The Honeyd honeypot
This is a small daemon that can be used to create a network containing many virtual hosts. Each of those hosts can be set up and configured differently. You can run a range of arbitrary services on each, and configure them to appear as if they are running different operating systems. For network simulation purposes, you can create tens of thousands of different hosts on your LAN using Honeyd if you so wish. You can use Honeyd to hide your real system, identify threats, assess risk, and improve your security posture.
- Simulate multiple virtual hosts simultaneously
- Identify cyberattacks and assign hackers a passive-fingerprint
- Simulate numerous TCP/IP stacks
- Simulate network topologies
- Set up real FTP and HTTP servers, and even UNIX applications under virtual IP addresses
The lowdown on Honeyd
We invited a guest sys admin (Arona Ndiaye) to provide input on the Honeyd honeypot to get the perspective of a Linux administrator. She mainly uses Linux and *nix systems, and has tried out Honeyd to get an idea of how it works, what it can do, and its functionality. She installed it on Kali Linux, which was a simple process requiring a single line to be added to his sources.list file, running apt-get update & apt-get install honeyd.
A few tweaks were needed to ensure the firewall had the correct permissions set, along with some simple text editing in a configuration file. That was all that was needed. If any problems are encountered, or more detailed information is required, it is all available on the honeyd website. Most people find the easiest way to get started is to play with the system and to try to attack it, which is what she did.
She was particularly impressed with the information that can be gathered on attacks and scans. The methods of attack were recorded in intricate detail, including how it was possible to for hackers to fool NMAP. The overall verdict was “seriously impressive.”
The Kippo honeypot
We also put Kippo to the test; another popular honeypot. Kippo is used to create a dummy SSH server, which allows attackers to conduct brute force attacks. The honeypot can be set with a root password that is particularly easy to guess, such as a simple string of numbers: 123456 for example.
Set up the honeypot with an entire file system, or even better, clone a real system for added believability. The aim is to convince the hacker that he or she is attacking a real system. Once the attacker has successfully managed to login to the system, everything they subsequently do will be recorded. All actions will be logged, so it is possible to see exactly what happens when a system is attacked.
What is particularly good about Kippo is how detailed the fake system can be. You can really waste a lot of a hacker’s time and get an accurate picture of exactly what they are trying to achieve, the files they upload and download, what malware and exploits they install, and where they put them. You can then use a virtual machine to analyze the attack in detail when you have the time.
Set up combo-honeypots to create a highly elaborate network
Both Kippo and Honeyd are open source, so it is possible to tweak both honeypots to suit your own needs and requirements. You can even combine the two to build up extremely elaborate networks – specifying specific file contents and creating fake systems that appear perfectly real. How much time you spend doing this, and the level of detail you want to add, is up to you. If you really want to find out exactly how the systems are attacked to better prepare your real system, these are exceptionally good tools to use.
Adding a honeypot can help to improve your security, but simply setting one up will not. Unfortunately, you will need to invest some time in setting up a realistic network and it will need to be updated and maintained. It must be treated like any other machine or system you use in order for it to be effective. You must also make sure that it is isolated or insulated. Creating a fake system that is easy to attack shouldn’t give a hacker an easy entry point into your real system!
Summary: Main Benefits of Honeypots
- Observe hackers in action and learn about their behavior
- Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
- Create profiles of hackers that are trying to gain access to your systems
- Improve your security posture
- Waste hackers’ time and resources
Have you taken advantage of the benefits of honeypots? What have you been able to learn about attackers?
If you watch Scorpion on CBS, you will be familiar with Walter. Walter knowns how to think like a hacker. He is one.
In fact, Walter was an malicious as a child. He hacked the government and got up to all sorts of mischief. You may view him as something of a villain, but you would be wrong. Walter may have been on the wrong side of the fence while a child, but now he works for the government and his hacking prowess is being used for good. There is nothing evil or wrong about the ability to hack, it is only how those skills are used that determines whether you are right or wrong.
You should learn how to think like a hacker!
Walter is good at his new job because he is a hacker. He therefore knows exactly how to think like a hacker. While penetration testers and reformed black hat hackers make good white hat hackers, it is possible for a hacking mindset to be developed by anyone. A sysadmin can learn how to think like a hacker!
If you want to determine how secure your network really is, you need to learn how to think like a hacker. You need to take a look at your network as if you were an outsider. Look at it as a whole. Look at the attack surface. Gain an external perspective and see it how a would-be attacker would see it.
A hacker intending on attacking your organization would start with a little research. That person would check the public face of your network, pick up information here and there, get a good picture of your network as a whole, and then use that information when attacking your company.
Take a look at your network with a fresh pair of eyes
If you wanted a new job and had secured an interview, before you attended you would conduct a little research on the company. You would need to find out some basic information. You would likely be asked about the company in the interview.
You would need to take a look at the company website, you would run a few searches through Google, you would take a look at the company’s Twitter and Facebook accounts. You would gather web-based information.
If you really wanted the job you would also gather some information from people as well. You would email anyone you knew who worked at the company and you would ask them about what it is like to work there. You would ask others their opinion of the company.
This is how a hacker would start investigating your company. With that in mind, it would therefore be important to:
- Perform a whois search
- Check to find out what is being said about your company on social media sites
- What employees of the company are saying and sharing online?
- What data does your company voluntarily give away? Do you advertise any aspect of your network structure? How many state-of-the-art servers you have for instance? What software you use? It is much easier to find an exploit if you know what software a company uses!
- Search for your company on Google, Bing, Yahoo, and DuckDuckGo. See what information is revealed, and not just on pages 1-10!
- Use Google hacking tools and see what documents, PDFs, and spreadsheets are available publicly. You may be surprised at what has been indexed!
- Check out the social media profiles of your company employees – Is one member of staff a particular security risk? Do they list every aspect of their life on Facebook? Would they be a likely target of a spear phishing attack? Would a hacker have all the information they need to guess that individual’s password? Over-sharers are often the targets of phishing campaigns. So much can be learned about them online!
Hackers love phishing – it’s so easy to be handed access to data!
If you can find an easy way to hack a company would you choose that? Of course you would! You wouldn’t want to do any more work than you have to, and neither would a hacker. If you wanted to guess a password, you wouldn’t start with “hj&*HUI23YEW(.” “ You would try “QWERTY,” or “password”, or “bigguy”, or “123456” first.
Hackers will similarly start with the easiest route first, and that means trying to take advantage of some people’s naivety when it comes to IT security. Phishing is one of the easiest ways to gain access to login credentials. It is also one of the easiest security vulnerabilities to address. How would your employees deal with a phishing attack?
That is something best not left to chance!
- Send out a regular newsletter to explain common social engineering and phishing techniques that are used by hackers
- Show employees how to identify a phishing email
- Conduct regular phishing email tests. Research shows that the more practice staff members have at identifying phishing emails, the better they become at spotting a scam. When a real phishing email is received, they are more likely to identify it correctly before any damage is done.
- If new IT security policies are introduced, make sure they are explained to employees in person. This will help to make sure that they are read, understood, and their importance is made clear.
What happens when an attack does occur and a system is compromised?
You will no doubt spend an extraordinary amount of time putting defenses in place to repel an attack, but what happens if an attack is successful? Have you put defenses in place that will limit the damage caused or will an attacker manage to go from one device to another once the security perimeter is breached?
Switch and router manufacturers often have scripts that can be used for lockdowns. It is possible to disable unneeded interfaces and services, and restrict public and private addresses. Have you done this? A hacker would check this!
Learn how to think like a hacker and you will be able to make your network more secure
There is a very good reason why organizations spend big bucks on white hat hackers and get them to attempt to break through defenses and find the weak points in systems. If you learn how to think like a hacker you will be helping your organization enormously.
Start thinking like a hacker and view every node and end user as a potential entry point into your network, and it will make it easier for you to design network defenses and keep your equipment and data well secured.
The infamous and particularly dangerous Beebone botnet has finally been taken out of action following a joint initiative between Europol and the FBI. The Beebone botnet was believed to be controlling well over 100,000 computers late last year, and while many of the botnet infections have since been cleaned, around 12,000 computers are still believed to be infected with the malware.
Beebone botnet used to infect computers with malware
The botnet may have been relatively small, only involving around 12K computers, but it was particularly nasty. It was used to download other malware onto the computers, including password stealers, rootkits, fake security software and a host of other malicious programs. Any computer fallen victim to Beebone is therefore likely to be infected with a wide range of other malware.
The Beebone botnet proved difficult to locate
The Joint Cybercrime Action Taskforce of Europol struggled to locate the servers used for the Beebone botnet. Part of the reason was the software being used was particularly effective at avoiding detection. The polymorphic software was able to reconfigure itself frequently making it incredibly difficult to track down. Traditional signature detection methods of botnet identification were ineffective since the software was able to change its signature up to 19 times per day.
Beebone was also able to determine when it was under attack. When it detected it was being isolated or studied, it triggered a change in its unique identifier. The Beebone botnet was one of the most sophisticated ever seen.
Operation Beebone sinkholes almost 100 domains
The key to shutting down the botnet was to interfere with its ability to communicate with its command and control servers. Hacker’s instructions were thus prevented from reaching the software. In order to shut it down, the Joint Cybercrime Action Taskforce and the FBI enlisted the help of Intel Security, Shadowserver, and Kaspersky Lab and the joint operation was finally successful.
Once the malware had been isolated, the Joint Cybercrime Action Taskforce was able to identify and sinkhole around 100 domains used to communicate with the malware.
Unfortunately, while the botnet is believed to have been effectively shut down, this is only a temporary fix. Domains have been sinkholed but this is only a short-term solution. Any computer that has been infected must now be cleaned. That means some 12,000 or so computers must have the infection removed and that process is not straightforward.
The malware removal process can now start in earnest
Removing the malware is easy. Many tools have been developed to do this. In order for an infection to be cleaned, the owner of the infected computer will need to use one of those tools. For that to happen, the owner must be aware that their computer has been infected and most do not. That means Internet Service Providers will need to notify individuals known to be infected. That process may take some time but it can now start.
It is essential that all users clean the infection. It is possible that the malware installed on their computers could be reactivated if not removed.