Using Honeypots for Network

Intrusion Detection
10/22/2020

Report #: 202010221030
Agenda

• Introduction
• Honeypot History
• Honeypot Characteristics
• Honeypot Types
• Honeypot Goals
• Honeypots for Intrusion Detection
• Honeypot Logging and Monitoring
• Honeypot Risks and Mitigations
• Conclusion
• References
• Questions
Slides Key:
Non-Technical: Managerial, strategic and high-
level (general audience)

Technical: Tactical / IOCs; requiring in-depth

knowledge (sysadmins, IRT)

TLP: WHITE, ID# 202010221030 2

Introduction

What is a honeypot?

“A security resource whose value

lies in being probed, attacked, or
compromised.” – Lance Spitzner

Source: EC Council

TLP: WHITE, ID# 202010221030 3

Honeypot Types

Honey System
• Honey System Ubuntu Linux 18.04
o Imitates operating system and
services.
Honey Service
Attacker HTTP Server
• Honey Service
o Imitates software or protocol
functions.
Honey Service
SSH Server
• Honey Tokens
o Imitates data.
Source Public Domain Vectors Honey Service Honey Token
SMB Share Word Doc

Source: Intrusion Detection Honeypots

TLP: WHITE, ID# 202010221030 4

Honeypot History

Deception-
“The The based
Cuckoo’s Deception Honeynet Technology
Egg” Toolkit Project Boom
1989 1997 2000 2014

1991 1999 2003 Present

“An CyberCop Honeyd 80+ free
Evening Sting open
with source
Berferd” honeypot
tools

TLP: WHITE, ID# 202010221030 5

Honeypot Characteristics

Honeypots are:

• Deceptive
o They appear to be something they are not.

Source: StickPNG
• Discoverable
o Located on a network where an attacker is
likely to find them.

• Interactive
Source: Photos.com
o The honeypot will respond to a range of
stimuli from low to high interactivity.

• Monitored Source: Amazon.com

o Any interaction with a honeypot is logged
and triggers an alert.

Source: Physical Security Online

TLP: WHITE, ID# 202010221030 6

Honeypot Characteristics: Deceptive

Whaley’s Deception Taxonomy

Source: Intrusion Detection Honeypots

TLP: WHITE, ID# 202010221030 7

Honeypot Characteristics: Discoverable

Honeypot Discoverability

Attacker
Outside Network Inside Network

Attacker

Attacker Research File File

Honeypot

Endpoint

Attacker

TLP: WHITE, ID# 202010221030 8

Honeypot Characteristics: Interactive

Honeypot Interaction Levels

Honey Systems

High Interaction
Honey Services

Medium Interaction

Honey Systems
Honey Services
Honey Tokens Low Interaction

TLP: WHITE, ID# 202010221030 9

Honeypot Characteristics: Monitored

Monitoring and Logging Honeypots

Questions to ask…

1. What log formats does the honeypot provide?

2. What log formats does the logging server accept?

3. What tool will I use to send logs over the network from
the honeypot?

4. What tool will I use to receive the logs sent to the

logging server?

5. How will I filter and parse the honeypot logs for useful
analysis? Log Server

Source: Clipart Library

TLP: WHITE, ID# 202010221030 10

Honeypot Goals

• Research
• Goal is to learn about attackers’ tactics,
techniques and procedures

Source: Medical News Today

• Resource Exhaustion
• Goal is to waste the attackers’ time for as
long as possible

• Intrusion Detection
• Goal is to be alerted to an attacker’s
presence on the network, as nothing Source: National Geographic
legitimate should be interacting with it

Source: WebStockReview

TLP: WHITE, ID# 202010221030 11

Honeypot Goals: Research

Research Honeypots

Source: Digital Shadows

TLP: WHITE, ID# 202010221030 12

Honeypot Goals: Resource Exhaustion

Resource Exhaustion Honeypots

Source: Stack Overflow

TLP: WHITE, ID# 202010221030 13

Honeypot Goals: Intrusion Detection

Intrusion Detection Honeypots

Source: Australian Broadcasting Corporation

TLP: WHITE, ID# 202010221030 14

Using Honeypots for Intrusion Detection

See – Think – Do Deception Methodology

• See
o The attacker needs to see
the honey system, service,
or token

• Think
o The attacker must think the
honey system, service, or
token is worth taking the
time to explore or interact
with

• Do
o The attacker must do
something with the honey
system, service, or token,
generating an alert Source: JP 3-13.4, Military Deception

TLP: WHITE, ID# 202010221030 15

Using Honeypots for Intrusion Detection (cont.)

Honeypot Placement Within the Network

• See
o Where will an attacker be to see a honeypot?
o Where will they want to pivot to and find more
honeypots waiting for them?
o What would they consider valuable in the
network where additional honeypots could be
placed?

• Think
o How do you make a honeypot important enough
to interact with?
o Do you make it stand out, or blend in?

• Do
o How much functionality do you give the
honeypot so the attacker will interact with it? Source: Wikimedia Commons

All honeypot IP addresses should be included on

vulnerability scanners and penetration testing, so that
lists avoid false positive alerts.

TLP: WHITE, ID# 202010221030 16

Using Honeypots for Intrusion Detection (cont.)

Medical Device Honeypot Use Case

Medical Device Honeypot Data

Honeypots 10

Successful logins (SSH/Web) 55,416

Successful exploits 299

(Majority were MS08-067)

Dropped malware samples 24

TLP: WHITE, ID# 202010221030 17

Honeypot Risks and Mitigations

Honeypot Risks and Mitigations

Risk Mitigation

Using honeypots in place of other Use with other enterprise security tools
security tools

Honeypots aren’t alerting on intruders Use with other enterprise security tools

Honeypots can be detected by Their interaction has already been

attackers and manipulated alerted on

High-interaction honeypots can provide Position high-interaction honeypots

attackers a pivot point outside the network, where they can’t
interact with internal systems

TLP: WHITE, ID# 202010221030 18

Conclusion

• Honeypots are generally found in the form of:

• Honey Systems
• Honey Services
• Honey Tokens

• To be effective, all honeypots must be:

• Deceptive
• Discoverable
• Interactive
• Monitored

• Honeypots are primarily used for:

• Research
• Resource Exhaustion
• Intrusion Detection

TLP: WHITE, ID# 202010221030 19

Reference Materials
References

• Sanders, C. (2020). Intrusion Detection Honeypots: Detection Through Deception. Chris Sanders.
• Intrusion Detection Honeypots: Detection Through Deception - Chris Sanders – PSW #668
o https://www.youtube.com/watch?v=m8i02Hr_g6s
• Stoll, C. (1990). The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket
Books.
• An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied.
o http://cheswick.com/ches/papers/berferd.pdf
• Joint Publication 3-13.4, Military Deception
o https://info.publicintelligence.net/JCS-MILDEC.pdf
• Strand, J. (2017). Offensive Countermeasures: The Art of Active Defense. John Strand
• Black Hills Information Security – Projects
o https://www.blackhillsinfosec.com/projects/
• Active Defense Harbinger Distribution
o https://www.activecountermeasures.com/free-tools/adhd/
• Canary Tokens
o https://docs.canarytokens.org/guide/
• OpenCanary
o https://opencanary.readthedocs.io/en/latest/

TLP: WHITE, ID# 202010221030 21

References (cont.)

• How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions

o https://zeltser.com/honeytokens-canarytokens-setup/
• The Honeynet Project
o https://www.honeynet.org/about/
• Best Honeypots for Detecting Network Threats
o https://securitytrails.com/blog/top-20-honeypots
• What is a honeypot?
o https://usa.kaspersky.com/resource-center/threats/what-is-a-honeypot
• Epidemic: Researchers Find Thousands of Medical Systems Exposed to Hackers
o https://securityledger.com/2015/09/epidemic-researchers-find-thousands-of-medical-systems-
exposed-to-hackers/
• Honeypots Illustrate Scores of Vulnerabilities in Medical Devices
o https://threatpost.com/honeypots-illustrate-scores-of-vulnerabilities-in-medical-devices/116280/
• Web Labyrinth
o https://github.com/mayhemiclabs/weblabyrinth
• Artillery
o https://github.com/BinaryDefense/artillery
• Cowrie
o https://github.com/cowrie/cowrie

TLP: WHITE, ID# 202010221030 22

? Questions
Questions

Upcoming Briefs
• QakBot/Qbot Malware (10/29)
• SMB-Based Attacks Targeting Healthcare (11/05)

Product Evaluations
Recipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence
products are highly encouraged to provide feedback to HC3@HHS.GOV.

Requests for Information

Need information on a specific cybersecurity topic? Send your request for information (RFI) to
HC3@HHS.GOV or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110.

TLP: WHITE, ID# 202010221030 24

About Us

HC3 works with private and public sector partners to improve cybersecurity
throughout the Healthcare and Public Health (HPH) Sector

Products

Sector & Victim Notifications White Papers Threat Briefings & Webinar
Directed communications to victims or Document that provides in-depth information Briefing document and presentation that
potential victims of compromises, vulnerable on a cybersecurity topic to increase provides actionable information on health
equipment or PII/PHI theft and general comprehensive situational awareness and sector cybersecurity threats and mitigations.
notifications to the HPH about currently provide risk recommendations to a wide Analysts present current cybersecurity topics,
impacting threats via the HHS OIG audience. engage in discussions with participants on
current threats, and highlight best practices
and mitigation tactics.

Need information on a specific cybersecurity topic or want to join our listserv? Send your request for information (RFI) to
HC3@HHS.GOV or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110.

TLP: WHITE, ID# 202010221030 25

 Contact

Health Sector Cybersecurity (202) 691-2110 HC3@HHS.GOV

Coordination Center (HC3)