Honeypots in Endpoint Security and How to Deploy a Honeynet
by Gilad David Maayan
The article has been originally published at: https://pentestmag.com/product/pentest-azure-kubernetes-and-cloud-security-tools/
In this article, you’ll learn what a honeynet is and how honeypots can help protect your organization’s endpoints. You’ll also learn how to deploy a honeynet with Modern Honey Network (MHN), an open-source tool.
How are Honeypots Used in Endpoint Security?
Endpoint Detection and Response (EDR) is a system that collects and analyzes information related to security threats from computer workstations and other endpoints to detect and detect security breaches as they occur. Facilitate rapid response to potential threats.
EDR has many improvements, but a full defense-in-depth strategy needs more. Leading provider EDR solutions still have a gap between threat detection in the network, endpoint asset detection and development, and security controls sharing information and minimizing response times. Complementary technologies can fill this gap.
Deploying trickery technology as a complementary technology along with the EDR platform can play an important role in eliminating this risk. Most people admit that deception is an effective means of detecting threats early and accurately and reducing the attacker's dwell time. However, with an advanced decentralized fraud platform (DDP), organizations can also automate visibility, asset discovery, and information sharing.
A honeypot is a network-connected system set up as a bait to lure cyber attackers and detect, bias, and investigate hacker attempts to gain unauthorized access to information systems. The honeypot feature is considered a potential target for attackers on the Internet (usually servers or other high-value assets) to gather information and to allow unauthorized users to access the honeypot. This is an attempt to notify the defender.
Large enterprises and enterprises participating in cybersecurity research are typical users of honeypots used to identify and defend against attacks from Advanced Persistent Threat (APT) attackers. Honeypots are an important tool for cybersecurity researchers who want to implement aggressive defenses against attackers in large organizations or learn more about the tools and techniques used by attackers.
Honeypots appear to be legitimate parts of the network used to retrieve information from trespassers tricking them into accessing the honeypot. Security teams deploy these traps as part of their cyber defense strategy. Honeypots are also used to investigate the behavior of cyber attackers and how they interact with networks.
What Is a Honeynet?
A honeynet is a network architecture that contains one or more honeypots. A honeypot is a computer or virtual machine disguised as a filestore, service, application, or endpoint. It is designed to be appealing to attackers and often includes fake “valuable data”. Honeypots and honeynets lure in and distract attackers from legitimate systems while security is alerted.
Honeynets can be real or virtual. A virtual honeynet is created through virtualization on a single server. When created, these nets include intentional vulnerabilities that allow attackers into a sandboxed environment. Sandboxed environments are isolated from other systems, containing any harm an attacker might do.
Honeynets and the decoys contained inside are a type of deception technology. Security teams can use this technology to identify attacks to their systems and gain insight on attack methods and processes. This can be an important complement to penetration testing efforts.
Honeynets and honeypots have a near 0% false-positive rate since there is no legitimate reason to access these tools. This makes honeynets and honeypots reliable for detecting breaches and monitoring attack behavior. It can also make these tools helpful in detecting attacks that otherwise bypass security measures, such as advanced persistent attacks.
Honeynets are meant to simulate a real network and often include real applications and services. These nets should never include real data but may have simulated data that appears real. Including real data would defeat the purpose of honeynets as tools to prevent a data breach.
Honeynets can include canary data; data that serves no legitimate purpose and is easily identifiable. This type of data can be included to help you track an attacker’s actions after they leave your system. If you find your canary data in “the wild”, you know it has come from an attack on your honeypot.
How to Deploy a Honeynet
To deploy a honeynet, you can either create one from scratch or you can use a prebuilt tool. Building a network from scratch allows greater customization but requires more time and expertise. Using a pre-built tool enables you to deploy a network more quickly and with minimal hassle. One caveat of using pre-built tools is that you need to verify that the tool is secure before using it.
The following tutorial outlines how to deploy a honeynet using the pre-built, Modern Honey Network tool. MHN is an open-source server application you can use to manage and collect data from honeypots. It is written in Flask and can be used with Ubuntu 18.04 and 16.04, and Centos 6.9.
1) Install MHN
You first need to install MHN on your designated server. You can use real or virtualized (simulated) hardware. This server should already have security measures in place, just as you would have for a real server. Make sure to test that your machine is running properly and has enough resources for any tools you include.
In general, this machine should reside in the Demilitarized Zone (DMZ) of your network. The DMZ is the area between your firewalls and any endpoints with Internet access.
Install MHN using the following command:
$ cd /opt/
$ sudo git clone https://github.com/pwnlandia/mhn.git
$ cd mhn/
$ sudo ./install.sh
2) Configure MHN
To configure MHN, you need to provide a few system-specific details. You are prompted for these details during installation. Be prepared to provide superuser credentials, URLs for your server and Honeymap, and a path for your log file. Once complete, you can log into your server using the credentials you specified to confirm that configuration and installation were successful.
When you configure your net, you should not publish the IP address ranges of your honeypots. Typically, honeypots can be found with scanners anyway. Keeping IPs private can help make honeypots look more realistic to attackers.
3) Run MHN
You can run MHN directly, behind a web proxy, over HTTPS, or in a container. MHN employs NGINX as its server software. You can view the status of MHN from an included web interface.
If you are simply testing how honeynets work, it is best to run this server from a service outside your own network. A Digital Ocean droplet or AWS instance will work well provided you carefully monitor your costs.
If you are creating a honeynet to aid your system security, consider placing the net behind your firewalls. This prioritizes catching attacks from inside the network, which can do the most damage.
4) Deploy Your Honeypots
MHN includes scripts for deploying a variety of open-source honeypots, including Snort, Cowrie, and glastopf. You can also manually deploy honeypots. The type of honeypot you use depends on your purposes. To customize your honeypots, refer to each tool’s respective documentation.
To deploy honeypots, you need to login to the MHN web app, choose deploy, and select the type of honeypot you want to use. Next copy the provided command, login to your destination server, and run the command with root privileges.
Once the command script finishes running, you can check that the honeypot was successfully deployed. Active honeypots are shown in your deployed sensor list in the web app.
5) Set Up Your Logging
You can integrate MHN with Splunk, ArcSight, or an Elastic Stack for logging. If you use ArcSight or Elastic, you can take advantage of built-in data analysis features in addition to data centralization.
Once you’ve integrated logging, you can begin analyzing the data that your honeynet collects. Depending on where you’ve placed your net, you may see numerous attacks per day. To help optimize your analysis, try to determine a baseline of activity. This is particularly helpful for external honeynets, which are likely to see activity from automated bots or other activity you are uninterested in.