Have you been considering implementing a honeypot for malware? Attracting malware may seem counterintuitive but there are great benefits to be had from setting up a honeypot. You will attract malware regardless, so why not make sure it gets installed somewhere safe?

web protection

Practical advice about implementing a honeypot for malware

A honeypot for malware can be highly beneficial for an organization; however, it is important to set it up correctly and to commit enough resources for maintenance and upkeep. A honeypot for malware will be of little use if it can easily be identified as a fake system, and even worse if it can be used as a platform to attack your real system.

Listed below are some tips and pointers to get started:

How much interaction are you looking for?

When setting up a honeypot for malware, you need to decide on the level of interaction you want. How much leeway will you give an attacker? How much activity are you willing to allow? Generally speaking, the more interaction you want to allow, the more time you will need to spend setting up your malware honeypot and maintaining it.

You must also bear in mind that the more interaction you allow, the higher the risk of the attacker breaking out of the honeypot and launching an attack on your real systems. High-interaction malware honeypots actually run real operating systems. If you are happy with low-level interaction, you can use emulation and it will require less maintenance and involve less risk.

Off the shelf malware honeypot systems are perhaps the easiest place to start, although there are open-source options available that can be tweaked to suit your needs. Just because you use a commercial honeypot, it doesn’t mean you need to spend big. There are many free options to try out.

Honeypots for malware and more…

A package is usually the logical place to start before progressing to open-source options or expensive, comprehensive honeypot systems. You can gauge how beneficial running a honeypot for malware is. If it proves to be useful, you can commit more time and resources to developing a fully customized honeypot for your organization. You can also start with a honeypot for malware and, if you are happy with the results, also set up a honeypot for SCADA/ICS and your web services.

We suggest the following to get started:

Honeyd

A great choice for simulating multiple hosts and services on a single machine using virtualization. This low-interaction honeypot allows a convincing network to be set up involving numerous operating systems such as Windows, Linux, and Unix at the TCP/IP stack level. Capable of identifying remote hosts passively.

Kippo

A SSH server honeypot with medium interaction. Excellent logging capabilities allowing a rerun of an attack to be viewed. Kippo allows complete file systems to be created.

Dionaea

A good honeypot for malware. Windows-based.

Ghost USB

A honeypot for malware spread via USB drives.

Glastopf

A honeypot with low interaction that emulates web vulnerabilities that can be exploited using SQL injection.

Thug

A honeyclient (client-side honeypot) that emulates a web browser. A useful tool for exploring and interacting with a malicious website to determine what malicious code and objects it contains

Powerful honeypot packages

There are three excellent comprehensive honeypot packages listed below. It may be better to pay for these packages than to commit the time and resources to developing your own custom honeypot system.

KFSensor

A Windows-based honeypot system with excellent functionality and flexibility. It is expensive, but it is the choice of professionals.

MHN

MHN, or Modern Honeypot Network to give it its full name, is open source allowing for easy configuration and customization, with an extensive range of tools. Operates using a Mongo database.

HoneyDrive

A virtual appliance (OVA) with Xubunti for Linux. A good range of analysis tools is provided, along with a choice of 10 pre-installed honeypot software packages.

Your honeypot may be detected!

It may only be a matter of time before your honeypot is detected, and when that happens the information is likely to be shared with other hackers. Fortunately, there are many different packages to choose from and custom honeypots can be created. Hackers cannot therefore look for a single signature to identify a system as a honeypot.

There are common tell-tale signs that a system is a honeypot. We recommend taking action to address the following issues if you want to make sure your honeypot is not detected as a fake system.

  • Ensure there is system activity – One sure sign of a fake system is it is not being used by anyone!
  • You make it far too easy to compromise the system – setting “password” as the password for example
  • Odd ports are left open and out of the ordinary services are being run
  • Hardly any software has been installed
  • Default configurations of software and operating systems have been installed
  • The file structure is too regular, and file names are obviously fake – file names such as “user password list” and “staff social security numbers” are unrealistic

Also worth considering is whether to include a deception port. A deception port is an open port that will allow an attacker to detect a honeypot. What is the point? This will show any would-be attacker that they are dealing with an organization that has devoted a lot of time and effort to cybersecurity. That, in itself, may be enough to convince attackers to look elsewhere and pursue much easier targets.

Do you think a honeypot is worth the effort?