Month: October 2015

A Honeypot for Malware Can be of Great Benefit to Your Organization

Have you been considering implementing a honeypot for malware? Attracting malware may seem counterintuitive but there are great benefits to be had from setting up a honeypot. You will attract malware regardless, so why not make sure it gets installed somewhere safe?

Practical advice about implementing a honeypot for malware

A honeypot for malware can be highly beneficial for an organization; however, it is important to set it up correctly and to commit enough resources for maintenance and upkeep. A honeypot for malware will be of little use if it can easily be identified as a fake system, and even worse if it can be used as a platform to attack your real system.

Listed below are some tips and pointers to get started:

How much interaction are you looking for?

When setting up a honeypot for malware, you need to decide on the level of interaction you want. How much leeway will you give an attacker? How much activity are you willing to allow? Generally speaking, the more interaction you want to allow, the more time you will need to spend setting up your malware honeypot and maintaining it.

You must also bear in mind that the more interaction you allow, the higher the risk of the attacker breaking out of the honeypot and launching an attack on your real systems. High-interaction malware honeypots actually run real operating systems. If you are happy with low-level interaction, you can use emulation and it will require less maintenance and involve less risk.

Off the shelf malware honeypot systems are perhaps the easiest place to start, although there are open-source options available that can be tweaked to suit your needs. Just because you use a commercial honeypot, it doesn’t mean you need to spend big. There are many free options to try out.

Honeypots for malware and more…

A package is usually the logical place to start before progressing to open-source options or expensive, comprehensive honeypot systems. You can gauge how beneficial running a honeypot for malware is. If it proves to be useful, you can commit more time and resources to developing a fully customized honeypot for your organization. You can also start with a honeypot for malware and, if you are happy with the results, also set up a honeypot for SCADA/ICS and your web services.

We suggest the following to get started:

Honeyd

A great choice for simulating multiple hosts and services on a single machine using virtualization. This low-interaction honeypot allows a convincing network to be set up involving numerous operating systems such as Windows, Linux, and Unix at the TCP/IP stack level. Capable of identifying remote hosts passively.

Kippo

A SSH server honeypot with medium interaction. Excellent logging capabilities allowing a rerun of an attack to be viewed. Kippo allows complete file systems to be created.

Dionaea

A good honeypot for malware. Windows-based.

Ghost USB

A honeypot for malware spread via USB drives.

Glastopf

A honeypot with low interaction that emulates web vulnerabilities that can be exploited using SQL injection.

Thug

A honeyclient (client-side honeypot) that emulates a web browser. A useful tool for exploring and interacting with a malicious website to determine what malicious code and objects it contains

Powerful honeypot packages

There are three excellent comprehensive honeypot packages listed below. It may be better to pay for these packages than to commit the time and resources to developing your own custom honeypot system.

KFSensor

A Windows-based honeypot system with excellent functionality and flexibility. It is expensive, but it is the choice of professionals.

MHN

MHN, or Modern Honeypot Network to give it its full name, is open source allowing for easy configuration and customization, with an extensive range of tools. Operates using a Mongo database.

HoneyDrive

A virtual appliance (OVA) with Xubunti for Linux. A good range of analysis tools is provided, along with a choice of 10 pre-installed honeypot software packages.

Your honeypot may be detected!

It may only be a matter of time before your honeypot is detected, and when that happens the information is likely to be shared with other hackers. Fortunately, there are many different packages to choose from and custom honeypots can be created. Hackers cannot therefore look for a single signature to identify a system as a honeypot.

There are common tell-tale signs that a system is a honeypot. We recommend taking action to address the following issues if you want to make sure your honeypot is not detected as a fake system.

  • Ensure there is system activity – One sure sign of a fake system is it is not being used by anyone!
  • You make it far too easy to compromise the system – setting “password” as the password for example
  • Odd ports are left open and out of the ordinary services are being run
  • Hardly any software has been installed
  • Default configurations of software and operating systems have been installed
  • The file structure is too regular, and file names are obviously fake – file names such as “user password list” and “staff social security numbers” are unrealistic

Also worth considering is whether to include a deception port. A deception port is an open port that will allow an attacker to detect a honeypot. What is the point? This will show any would-be attacker that they are dealing with an organization that has devoted a lot of time and effort to cybersecurity. That, in itself, may be enough to convince attackers to look elsewhere and pursue much easier targets.

Do you think a honeypot is worth the effort?

Lack of Cybersecurity Funding? Cost-Effective Solutions for IT Professionals

A chronic lack of cybersecurity funding is a common problem. Network administrators and IT managers alike must learn to deal with a small budget and do more with the money they have available. Unfortunately, budgets are unlikely to be increased substantially, even when faced with new threats and a greater risk of suffering cyberattacks. You will be expected to do your job with the money that has been allocated. At best you may get a slight funding increase for next year. In the meantime, you will just need to do your best. Your best must also be good enough.

Get organized and stop wasting time on repetitive tasks

You will get request after request via your support line, and many support tickets will be submitted requiring you to do the same thing over and over again. You can spend time dealing with the same problems, commit an extraordinary amount of time to fixing the same email, network, hardware, and software issues, but that is time and money that could be spent on other more important tasks. What you must do is tackle these problems and determine the root cause. Sort these out, and the support tickets will stop. It will take longer initially, but will save you a considerable amount of time in the long run.

Deal with a lack of cybersecurity funding by saving money and achieving more in less time

You may be thinking that is easier said than done. There may not be money to spend on new hardware or software. You cannot pay for solutions if the money is not available. There is a solution though. You can address these problems by cutting back on the time and resources devoted to other tasks. Like tackling the root cause of malware issues, virus infections, phishing scams, and many system malfunctions.

You can prevent a great deal of support tickets and save a lot of time by implementing two software solutions that have been designed to stop network administrators, IT helpdesk staff, and IT managers wasting time. A lack of cybersecurity funding need not mean you have to leave your network open to hacker attack, or leave your end users (and your network) exposed.

SpamTitan and WebTitan are two cybersecurity solutions that are cost-effective, easy to implement, and easy to manage. They will also help to keep your end users and network protected. A lack of cybersecurity funding need not spell disaster.

Coping with a lack of cybersecurity funding: SpamTitan and WebTitan anti-spam and web filtering solutions

SpamTitan offers IT professionals an easy option for dealing with email spam and the problems it causes. Cut down on the common reasons for end users submitting support tickets and calling IT support helplines, and save time and money. Your resources can then be diverted to dealing with more critical IT issues.

SpamTitan will clean inbound and outbound emails and will prevent issues created by:

  • Spam and bulk emails
  • Malware and viruses
  • Dangerous email attachments
  • Spam websites and spam hosts
  • Phishing emails and malicious links
  • Outbound spam
  • IP address blocking and blacklisting
  • Rate threshold violations
  • IT related business reputation damage

WebTitan web filtering solutions keep users protected and cut back on wasted time from:

  • Spyware
  • Malware
  • Drive-by attacks
  • Malicious websites
  • Social media usage issues
  • Accessing of inappropriate content
  • Loss of bandwidth
  • Malicious adverts
  • Inappropriate Internet use
  • Rogue app threats

For further information on how WebTitan and SpamTitan can save your company – and the IT department – time and money, visit: www.spamtitan.com and www.webtitan.com