Honeypots

HONEYPOTS
DIVERSION, DISTRACTION, DECEPTION

Brian O’Neill, Sr. Product Manager, Rapid7
© 2017 ISACA. All Rights Reserved

TODAY’S SPEAKER
Brian O’Neill
Product Management
Rapid7
2
AGENDA
1. Honeypots, briefly.
2. Why deploy honeypots?
3. Types of honeypots.
4. Honeypot examples.
5. What we can learn from honeypots.
6. Wrap up.

AGENDA
1. Honeypots, briefly. What it is.
2. Why deploy honeypots? High-level walkthrough of honeypots and their usage
3. Types of honeypots. What it isn’t.
4. Honeypot examples. Deep, technical walkthroughs
5. What we can learn from honeypots.
6. Wrap up.

WHAT IS A HONEYPOT?
“ computer security mechanism set to detect, deflect, or, in

some manner, counteract attempts at unauthorized use of
information systems.” – Wikipedia

POLL: HOW MANY OF YOU
DEPLOY HONEYPOTS?

WHAT IS A HONEYPOT?
Two Main Purposes
Passive Defense
Active Defense

WHAT IS A HONEYPOT?
Two Main Purposes
• Divert
Passive Defense
• Distract Active Defense
• Delay
• Alert
• Gather Intel

WHY DEPLOY HONEYPOTS?
Breaches happen seemingly every day.
Honeypots can be a low-cost, high-value defense mechanism.
Your systems are constantly being probed and

explored, you can use honeypots to delay
attacks and gather intelligence on your
adversaries.

Passive Defense
To Divert
Turn your adversary’s
attention away from critical
components.
“All warfare is based on deception”

- Sun Zsu
10

Passive Defense
To Distract
Focus attention on your chosen deployments
11

Passive Defense
To Distract
I’VE TURNED
Focus attention on your chosen deployments MYSELF INTO A
PICKLE,
MORTY!!! I’M
PICKLE
RIIIIIICK!!!
12

Passive Defense
To Distract
Focus attention on your chosen deployments
13

Passive Defense
To Delay
Amma get
chu!
Slow attackers down
14

Passive Defense
Waste Time
Muddy the waters and make it harder

to know what to investigate
15

Passive Defense
Wasting time is wasting
money
• Technical talent is expensive
• CPU, Bandwidth, resources cost

money
This Photo by Unknown Author is licensed under CC BY-NC 16

Passive Defense
Annoy
Make your deployment less attractive
and more of a pain to investigate.
17

Passive Defense
“You don’t have to run

faster than the bear…
18

Passive Defense
“You don’t have to run

faster than the bear…
… you just have to run

faster than the guy next
to you.”
- Jim Butcher
19

Active Defense
Gather Intel
• Attacker Profiles
20

Active Defense
Gather Intel
• Attack Methods
21

Active Defense
Gather Intel
• Attack Methods
• Targeted Assets
22

Active Defense
The ”Cyber Kill Chain”
Image Source: Lockheed Martin

23

Active Defense
• Delay
24

Active Defense
• Delay
• Distract
25

Active Defense
• Delay
• Distract
• Detect
26

Active Defense
• Delay
• Distract
• Detect
• Alert
27

Active Defense
• Delay
• Distract
• Detect
• Alert
• Gather Intel
28

Active Defense
• Delay
• Distract
• Detect
• Alert
• Gather Intel NOPE!
29

TYPES OF HONEYPOTS
30

TYPES OF HONEYPOTS
Production Research
VS.
31

TYPES OF HONEYPOTS
Production
32

TYPES OF HONEYPOTS
Port, Service, or System Honey “Things”
33

TYPES OF HONEYPOTS
Port, Service, or System Honey “Things”
Emulating open ports, services or Static ‘things’ available on the

entire systems. network.
Various levels of interaction with Used in tandem with other

intruders protectionary measures
Wide array of system emulation

available
34

TYPES OF HONEYPOTS
Levels of Interaction
• Pure
• High
• Mid
• No (Low)

TYPES OF HONEYPOTS
Levels of Interaction
Mimic full system
• Pure
Capture Malware
• High
Record Shell Respond to commands

• Mid Allow Login
Listen Only
• No (Low)

LOW INTERACTION HONEYPOTS
Listen, block, repeat, rinse

Offensive Counter Measures: The Art of Active Defense
Linux: NetCat, IPTables
- John Strand & Paul Asadoorian
Windows: NetCat, Netsh
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m
recent –set –name SSH
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m
recent –update –seconds 120 –hitcount 3 –rttl –name SSH -j DROP
Scripting options: powershell & python

https://isc.sans.edu/forums/diary/TinyPot+My+Small+Honeypot/22654

LOW INTERACTION HONEYPOTS
Kippo
https://github.com/desaster/kippo
Python based SSH

Logs entire shell interaction

MID INTERACTION HONEYPOTS
Cowrie
https://github.com/micheloosterhof/cowrie
Python-Based SSH & Telnet Honey Pot

Fork of Kippo, Written by Michel Oosterhof

Conpot
https://github.com/mushorg/conpot
Industrial Control System Honeypot: Modbus & SNMP

Honeynet -> Mushmush

Conpot
https://github.com/mushorg/conpot
Industrial Control System Honeypot: Modbus & SNMP

Honeynet -> Mushmush

Artillery
https://github.com/BinaryDefense/artillery
TRUSTEDSEC, Dave Kennedy
• Honeypot, Monitoring, & Alerting

• FIM & Configuration Warnings
• IPTables + Fake Data

Glastopf
https://github.com/mushorg/glastopf
Python Web App Honeypot Emulating vulnerability types

• LFI
• SQLI
• HTML Injection
• Automatically gathers attacks from dorking, and extends it’s attack
surface

Glastopf
https://github.com/mushorg/glastopf
Python Web App Honeypot Emulating vulnerability types

• LFI
• SQLI
• HTML Injection
• Automatically gathers attacks from dorking, and extends it’s attack
surface

AVAILABLE HONEYPOTS
Service Email/Web
• HoneyNTP • WordPot
• HoneyPerl • HoneyPotter
• Vnclow • HoneyPress
• Portlurker • PHPMyAdmin
• Arctic-swallow • Snare
Database Other
• MongoDB-HoneyProxy • ConPot - Industrial Control Systems
• Elastic Honey • SCADA honeynet
• MySql • gridpot
• NoSQLPot • TelNetHoney
• MSQL HoneyPots • HonTel
45

AVAILABLE HONEYPOTS
Service
• HoneyNTP
• HoneyPerl
• Vnclow
• Portlurker
• Arctic-swallow
Database
• MongoDB-HoneyProxy
• Elastic Honey
• MySql
• NoSQLPot
• MSQL HoneyPots
46

HIGH/PURE HONEYPOTS
Emulating Entire Systems

Deploy: HonSSH, Lyrebird
Build: Custom Copies of production code
Configure: Systems to Mimic Real CVEs

HIGH/PURE HONEYPOTS
Emulating Entire Systems

Deploy: HonSSH, Lyrebird
Build: Custom Copies of production code
Configure: Systems to Mimic Real CVEs
Caution:
• Forcefully segment
• Actively monitor
• Don’t 100% copy real systems
• Never use real credentials

HONEY “PLATFORMS”
Self Contained Honey Pot Systems

• Honeypots
• Malware Analysis
• Logging / Reporting

ADHD
BLACKHILLS Information Security
https://github.com/adhdproject
https://www.blackhillsinfosec.com/projects/adhd/
BeEF,
WebBugs,
Honey Badger,
Honey Ports,
Cowrie,
..and many, many more.

T-Pot
T-Mobile Open Source Project
https://github.com/dtag-dev-sec/tpotce
Conpot, Cowrie,
Dionaea, Glastoph,
HoneyTrap, and more
+ ELK Stack,
Suricatta, Spiderfoot,
and more

T-Pot

HONEY THINGS
Other Options

HONEY THINGS
Honey Users
• Email Addresses

HONEY THINGS
Honey Users
• Email Addresses
• Credentials

HONEY THINGS
Honey Users
• Email Addresses
• Credentials
• Hashes

HONEY THINGS
Honey Items
Plant, then watch…
• Docs

HONEY THINGS
Honey Tokens
Used in combination with
IPS/IDS
• Database Records

HONEY THINGS
Honey Tokens
IPS/IDS
• Strings
• Names
• Files
• Etc

POLL RESULTS
61

DEPLOYING HONEYPOTS
62

HONEY THINGS

HONEY THINGS
Honey Tokens
IPS/IDS
• Strings
• Names
• Files
• Etc

HONEY THINGS

HACKING BACK
ZipBombs

HACKING BACK
Endless Directories

HACKING BACK
Location Awareness

HACKING BACK
Location Awareness

RAPID7 RESEARCH
70

RAPID7 RESEARCH
71

PROJECT HEISENBERG
• ~150 Lo & Mid

Interaction
Honeypots
• Globally Deployed
• Coverage for top-5

cloud hosting
providers & private
web-facing hosts
• Observes attacker
behavior in real time
72

HONEYPOT DEPLOYMENTS
73

HONEYPOT DEPLOYMENTS
Sharing is caring

OBSERVATIONS
Wanna …

OBSERVATIONS
Wanna …

OBSERVATIONS
Improvements

OBSERVATIONS
Improvments

OBSERVATIONS
Improvments

OBSERVATIONS
CVEs Targeted

DEPLOYMENT TIPS
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Snort/Bro/Suricata
• Sandboxes

DEPLOYMENT TIPS
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Sandboxes

DEPLOYMENT TIPS
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Sandboxes

DEPLOYMENT TIPS
After a Hit?
• Log Management
• SIEM
• IPS/IDS
• Sandboxes

DEPLOYMENT TIPS
External-Facing
• Can be noisy
• Don’t use real creds
• Incredible valuable when used with multi-
stage rules

DEPLOYMENT TIPS
External-Facing
• Can be noisy
• Don’t use real creds
• Incredible valuable when used with multi-
stage rules
Alert: External Honeypot Access Followed by Local File Access
Alert: External Honeypot Access Followed by Multiple Login Failures

DEPLOYMENT TIPS
Internal-Facing
• Go bonkers, Honeypots: EVERYWHERE
• Use test deployments to tune IDS/IPS/SIEM

A COMMUNITY AT WORK
Open-Source Effort
1. Download Project
2. Fork
3. Comment/Commit!
4. Profit!

ADDITIONAL RESOURCES
SANS 550 - https://sans.org/sec550

Active Defense, Offensive Countermeasures and Cyber
Deception
Greg Foss – phpmyadmin honeypot & psrecon

https://github.com/gfoss - TREMENDOUS!
Paralax’s Llist – All the honeypots

https://github.com/paralax/awesome-honeypots
Questions?
90

THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL
FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-
INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.
Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
91

THANK YOU FOR ATTENDING THIS SESSION
92

Honeypots - Diversion, Distraction, Deception PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Honeypots - Diversion, Distraction, Deception PDF

Uploaded by

Copyright:

Available Formats

DIVERSION, DISTRACTION, DECEPTION

© 2017 ISACA. All Rights Reserved

2. Why deploy honeypots?

5. What we can learn from honeypots.

© 2017 ISACA. All Rights Reserved

1. Honeypots, briefly. What it is.

2. Why deploy honeypots? High-level walkthrough of honeypots and their usage

3. Types of honeypots. What it isn’t.

4. Honeypot examples. Deep, technical walkthroughs

5. What we can learn from honeypots.

© 2017 ISACA. All Rights Reserved

“ computer security mechanism set to detect, deflect, or, in

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

Two Main Purposes

© 2017 ISACA. All Rights Reserved

Two Main Purposes

© 2017 ISACA. All Rights Reserved

Breaches happen seemingly every day.

Honeypots can be a low-cost, high-value defense mechanism.

Your systems are constantly being probed and

© 2017 ISACA. All Rights Reserved

“All warfare is based on deception”

© 2017 ISACA. All Rights Reserved

Focus attention on your chosen deployments

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

Focus attention on your chosen deployments

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

Muddy the waters and make it harder

© 2017 ISACA. All Rights Reserved

• CPU, Bandwidth, resources cost

This Photo by Unknown Author is licensed under CC BY-NC 16

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

“You don’t have to run

© 2017 ISACA. All Rights Reserved

“You don’t have to run

… you just have to run

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

Image Source: Lockheed Martin

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

© 2017 ISACA. All Rights Reserved

Port, Service, or System Honey “Things”

© 2017 ISACA. All Rights Reserved

Port, Service, or System Honey “Things”

Emulating open ports, services or Static ‘things’ available on the

Various levels of interaction with Used in tandem with other

Wide array of system emulation

© 2017 ISACA. All Rights Reserved