Month: April 2015

Benefits of Honeypots – There’s More to Honeypots Than Wasting Hackers’ Time

There are many benefits of honeypots, most notably, they can significantly improve your security posture. As such, all organizations should consider implementing a honeypot, but be sure to assess the disadvantages as well as the advantages as you may decide they are not worth the time and effort.

This post covers the pros and cons of honeypots to help you decide whether a honeypot is appropriate for your organization.

What is a honeypot and why are they used?

A honeypot is an additional security protection that can be used alongside a firewall and other security solutions to help protect a network from hackers.

Honeypots, as the name suggests, are designed to catch a hacker’s eye so that their efforts will be drawn to attacking the honeypot rather than a system where they could cause serious harm.

They appear to be an easy entry point into a network to distract attackers from looking at other parts of the system. They are a deliberate hole in the security of the system that can be attacked without causing harm. They allow IT teams to gather valuable intelligence on hackers who are attempting to gain access to their networks.

In contrast to a firewall, which is designed only to keep external attackers out, a honeypot can also identify internal threats and attacks. Many companies are almost blind to attacks from within. A honeypot provides increased visibility and allow IT security teams to defend against attacks that the firewall fails to prevent. There are considerable benefits of honeypots, and many organizations have implemented them as an additional protection against internal and external attacks.

There are many benefits of honeypots!

A honeypot is a system that is set up with the singular purpose of being attacked. It is a system designed to be exploited, hacked, infected with malware, and generally abused by a malicious third party. Why should I do that you may ask? Well, there are many benefits of honeypots.

You may wonder why you should spend your time, effort, and money setting up a system that will attract hackers? Why you should deliberately create a system with weakened defenses that will be exploited? Why even attract interest from malicious third parties?

There are three very good reasons why you should. First. You will be wasting a hacker’s time, and time spent attacking a system that is safe is time not spent hacking a system that will damage your organization if the hacker succeeds.

Secondly, by setting up a honeypot you will be able to see who is attacking you and the methods that are being used. This will give you a very good idea of the types of attacks being used and the defenses you will need to install to protect your real systems and data from attack.

Thirdly, an attack on a honeypot is likely to frustrate a hacker and stop them from hacking your real computer systems.

Security researchers are well aware of the benefits of honeypots. They have been vital in the study of hackers’ behavior. They can be used to determine how systems are attacked and are also a very useful part of system defenses. It is not a question of whether you should set up a honeypot, but rather why you have not already done so.

There are many different types of honeypot that can be implemented. You can set up a dummy system with an entire network topology if you wish. You can have many different hosts, you can include a wide range of services, and even different operating systems. In short, an entire system can be set up to appear genuine and allow an attack to take place.

There are many different types of honeypot that can be deployed, although for the purpose of this article we have provided further information on two popular honeypots below: Honeyd and Kippo.

The Honeyd honeypot

This is a small daemon that can be used to create a network containing many virtual hosts. Each of those hosts can be set up and configured differently. You can run a range of arbitrary services on each, and configure them to appear as if they are running different operating systems. For network simulation purposes, you can create tens of thousands of different hosts on your LAN using Honeyd if you so wish. You can use Honeyd to hide your real system, identify threats, assess risk, and improve your security posture.

Honeyd benefits

  • Simulate multiple virtual hosts simultaneously
  • Identify cyberattacks and assign hackers a passive-fingerprint
  • Simulate numerous TCP/IP stacks
  • Simulate network topologies
  • Set up real FTP and HTTP servers, and even UNIX applications under virtual IP addresses

The lowdown on Honeyd

We invited a guest sys admin (Arona Ndiaye) to provide input on the Honeyd honeypot to get the perspective of a Linux administrator. She mainly uses Linux and *nix systems, and has tried out Honeyd to get an idea of how it works, what it can do, and its functionality. She installed it on Kali Linux, which was a simple process requiring a single line to be added to the sources.list file, running apt-get update & apt-get install honeyd.

A few tweaks were needed to ensure the firewall had the correct permissions set, along with some simple text editing in a configuration file. That was all that was needed. If any problems are encountered, or more detailed information is required, it is all available on the honeyd website. Most people find the easiest way to get started is to play with the system and to try to attack it, which is what she did.

She was particularly impressed with the information that can be gathered on attacks and scans. The methods of attack were recorded in intricate detail, including how it was possible to for hackers to fool NMAP. The overall verdict was “seriously impressive.”

The Kippo honeypot

We also put Kippo to the test; another popular honeypot. Kippo is used to create a dummy SSH server, which allows attackers to conduct brute force attacks. The honeypot can be set with a root password that is particularly easy to guess, such as a simple string of numbers: 123456 for example.

Set up the honeypot with an entire file system, or even better, clone a real system for added realism. The aim is to convince the hacker that he or she is attacking a real system. Once the attacker has successfully managed to login to the system, everything they subsequently do will be recorded. All actions will be logged, so it is possible to see exactly what happens when a system is attacked.

What is particularly good about Kippo is how detailed the fake system can be. You can really waste a considerable amount of a hacker’s time and get an accurate picture of exactly what they are trying to achieve, the files they upload and download, what malware and exploits they install, and where they put them. You can then use a virtual machine to analyze the attack in detail when you have the time.

Set up combo-honeypots to create a highly elaborate network

Both Kippo and Honeyd are open source, so it is possible to tweak both honeypots to suit your own needs and requirements. You can even combine the two to build up extremely elaborate networks – specifying specific file contents and creating fake systems that appear perfectly real. How much time you spend doing this, and the level of detail you want to add, is up to you. If you really want to find out exactly how the systems are attacked to better prepare your real system, these are exceptionally good tools to use.

Adding a honeypot can help to improve your security, but simply setting one up will not. Unfortunately, to gain the benefits of honeypots you will need to invest some time in setting up a realistic network and it will need to be updated and maintained. It must be treated like any other machine or system you use in order for it to be effective. You must also make sure that it is isolated or insulated. Creating a fake system that is easy to attack shouldn’t give a hacker an easy entry point into your real system!

Summary: Main Benefits of Honeypots

Listed below are the main benefits of honeypots:

  1. Observe hackers in action and learn about their behavior
  2. Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
  3. Create profiles of hackers who are trying to gain access to your systems
  4. Improve your security posture
  5. Waste hackers’ time and resources
  6. They show you that you are being attacked and that data is valuable when attempting to get budget increases for security.

Disadvantages of Honeypots

We have covered the benefits of honeypots, but are there any disadvantages of honeypots apart from the time taken to set them up?

No system is perfect and there are notable disadvantages of honeypots. One of the main problems is the system is designed to be attacked, so attacks will likely take place. Once the honeypot is accessed it could be used as a launchpad for further attacks. Those attacks could be conducted on an internal system or on another company. Honeypots therefore introduce risk. There is therefore an issue of legal liability. If your honeypot is used in an attack on another business, you could be sued. The level of risk that it introduced will depend on the honeypot. Typically, the more complex the honeypot, the greater the risk is likely to be.

Then there is the question of the resources you will need to set up the system. If you want to create a realistic system that will fool hackers, it needs to look and behave like the real system it is designed to mimic. There are free options available which will make it more cost effective to set up a honeypot, although they still require resources. The hardware comes at a cost and they require maintenance and monitoring. The cost may be prohibitively expensive for some businesses.

That said, maintenance need not be major drain of time. In many cases, honeypots can be set up and left. Since there is no expected production activity, monitoring the honeypot and assessing activity will require minimal effort. Automatic alerts are generated when an attack is in progress and any data generated will likely be a real attack. Honeypots may be set up on existing old hardware that would otherwise not be used. In such cases, costs can be kept to a minimum.

Honeypots add complexity to a network, and the more complex a network is, the harder it is to secure. The honeypot could introduce vulnerabilities that could be exploited to gain access to real systems and data.

Finally, the honeypot can only tell you about an attack in progress if the honeypot is directly attacked. If an attack involves other systems and they honeypot is untouched – for instance if the honeypot was identified as such by the attacker and avoided – it would be necessary to rely on other mechanisms to identify the attack.

Whether the benefits of honeypots outweigh the disadvantages will depend on the nature of your business, how probable it is that attempts will be made to attack your network and the resources you have available for security. Your money could be better spent on other security solutions and your IT team’s time may be better directed to monitoring other systems and addressing vulnerabilities and patching software.

You Need to Learn How to Think Like a Hacker to Secure Your Network

If you watch Scorpion on CBS, you will be familiar with Walter. Walter knowns how to think like a hacker. He is one.

In fact, Walter was an malicious as a child. He hacked the government and got up to all sorts of mischief. You may view him as something of a villain, but you would be wrong. Walter may have been on the wrong side of the fence while a child, but now he works for the government and his hacking prowess is being used for good. There is nothing evil or wrong about the ability to hack, it is only how those skills are used that determines whether you are right or wrong.

You should learn how to think like a hacker!

Walter is good at his new job because he is a hacker. He therefore knows exactly how to think like a hacker. While penetration testers and reformed black hat hackers make good white hat hackers, it is possible for a hacking mindset to be developed by anyone. A sysadmin can learn how to think like a hacker!

If you want to determine how secure your network really is, you need to learn how to think like a hacker. You need to take a look at your network as if you were an outsider. Look at it as a whole. Look at the attack surface. Gain an external perspective and see it how a would-be attacker would see it.

A hacker intending on attacking your organization would start with a little research. That person would check the public face of your network, pick up information here and there, get a good picture of your network as a whole, and then use that information when attacking your company.

Take a look at your network with a fresh pair of eyes

If you wanted a new job and had secured an interview, before you attended you would conduct a little research on the company. You would need to find out some basic information. You would likely be asked about the company in the interview.

You would need to take a look at the company website, you would run a few searches through Google, you would take a look at the company’s Twitter and Facebook accounts. You would gather web-based information.

If you really wanted the job you would also gather some information from people as well. You would email anyone you knew who worked at the company and you would ask them about what it is like to work there. You would ask others their opinion of the company.

This is how a hacker would start investigating your company. With that in mind, it would therefore be important to:

  • Perform a whois search
  • Check to find out what is being said about your company on social media sites
  • What employees of the company are saying and sharing online?
  • What data does your company voluntarily give away? Do you advertise any aspect of your network structure? How many state-of-the-art servers you have for instance? What software you use? It is much easier to find an exploit if you know what software a company uses!
  • Search for your company on Google, Bing, Yahoo, and DuckDuckGo. See what information is revealed, and not just on pages 1-10!
  • Use Google hacking tools and see what documents, PDFs, and spreadsheets are available publicly. You may be surprised at what has been indexed!
  • Check out the social media profiles of your company employees – Is one member of staff a particular security risk? Do they list every aspect of their life on Facebook? Would they be a likely target of a spear phishing attack? Would a hacker have all the information they need to guess that individual’s password? Over-sharers are often the targets of phishing campaigns. So much can be learned about them online!

Hackers love phishing – it’s so easy to be handed access to data!

If you can find an easy way to hack a company would you choose that? Of course you would! You wouldn’t want to do any more work than you have to, and neither would a hacker. If you wanted to guess a password, you wouldn’t start with “hj&*HUI23YEW(.” “ You would try “QWERTY,” or “password”, or “bigguy”, or “123456” first.

Hackers will similarly start with the easiest route first, and that means trying to take advantage of some people’s naivety when it comes to IT security. Phishing is one of the easiest ways to gain access to login credentials. It is also one of the easiest security vulnerabilities to address. How would your employees deal with a phishing attack?

That is something best not left to chance!

  • Send out a regular newsletter to explain common social engineering and phishing techniques that are used by hackers
  • Show employees how to identify a phishing email
  • Conduct regular phishing email tests. Research shows that the more practice staff members have at identifying phishing emails, the better they become at spotting a scam. When a real phishing email is received, they are more likely to identify it correctly before any damage is done.
  • If new IT security policies are introduced, make sure they are explained to employees in person. This will help to make sure that they are read, understood, and their importance is made clear.

What happens when an attack does occur and a system is compromised?

You will no doubt spend an extraordinary amount of time putting defenses in place to repel an attack, but what happens if an attack is successful? Have you put defenses in place that will limit the damage caused or will an attacker manage to go from one device to another once the security perimeter is breached?

Switch and router manufacturers often have scripts that can be used for lockdowns. It is possible to disable unneeded interfaces and services, and restrict public and private addresses. Have you done this? A hacker would check this!

Learn how to think like a hacker and you will be able to make your network more secure

There is a very good reason why organizations spend big bucks on white hat hackers and get them to attempt to break through defenses and find the weak points in systems. If you learn how to think like a hacker you will be helping your organization enormously.

Start thinking like a hacker and view every node and end user as a potential entry point into your network, and it will make it easier for you to design network defenses and keep your equipment and data well secured.

Beebone Botnet Shut Down by Europol

The infamous and particularly dangerous Beebone botnet has finally been taken out of action following a joint initiative between Europol and the FBI. The Beebone botnet was believed to be controlling well over 100,000 computers late last year, and while many of the botnet infections have since been cleaned, around 12,000 computers are still believed to be infected with the malware.

Beebone botnet used to infect computers with malware

The botnet may have been relatively small, only involving around 12K computers, but it was particularly nasty. It was used to download other malware onto the computers, including password stealers, rootkits, fake security software and a host of other malicious programs. Any computer fallen victim to Beebone is therefore likely to be infected with a wide range of other malware.

The Beebone botnet proved difficult to locate

The Joint Cybercrime Action Taskforce of Europol struggled to locate the servers used for the Beebone botnet. Part of the reason was the software being used was particularly effective at avoiding detection. The polymorphic software was able to reconfigure itself frequently making it incredibly difficult to track down. Traditional signature detection methods of botnet identification were ineffective since the software was able to change its signature up to 19 times per day.

Beebone was also able to determine when it was under attack. When it detected it was being isolated or studied, it triggered a change in its unique identifier. The Beebone botnet was one of the most sophisticated ever seen.

Operation Beebone sinkholes almost 100 domains

The key to shutting down the botnet was to interfere with its ability to communicate with its command and control servers. Hacker’s instructions were thus prevented from reaching the software. In order to shut it down, the Joint Cybercrime Action Taskforce and the FBI enlisted the help of Intel Security, Shadowserver, and Kaspersky Lab and the joint operation was finally successful.

Once the malware had been isolated, the Joint Cybercrime Action Taskforce was able to identify and sinkhole around 100 domains used to communicate with the malware.

Unfortunately, while the botnet is believed to have been effectively shut down, this is only a temporary fix. Domains have been sinkholed but this is only a short-term solution. Any computer that has been infected must now be cleaned. That means some 12,000 or so computers must have the infection removed and that process is not straightforward.

The malware removal process can now start in earnest

Removing the malware is easy. Many tools have been developed to do this. In order for an infection to be cleaned, the owner of the infected computer will need to use one of those tools. For that to happen, the owner must be aware that their computer has been infected and most do not. That means Internet Service Providers will need to notify individuals known to be infected. That process may take some time but it can now start.

It is essential that all users clean the infection. It is possible that the malware installed on their computers could be reactivated if not removed.