Open-Source Honeypots that Detect Threats for Free

Security-savvy Linux sysadmins understand that it's best to assume that their systems are breached. Threats targeting Linux systems are becoming increasingly pervasive due to the growing popularity of the open-source OS. Linux malware reached an all-time high in the first half of 2022.

When it comes to detecting and protecting against malware and other security threats, traditional intrusion detection and prevention systems dispatch too many false positives and can be too easy to circumvent. Moreover, threat hunters can't catch everything, and there are not enough people with these skills to go around. 

As a result, administrators and organizations are increasingly turning to active defense, or deception technologies, to help identify malicious actors within their systems. Honeypots, an invaluable offensive security tool for learning the tactics and motives of the Blackhat community and sharing the information and insights gathered, are an excellent type of deception technology that is highly effective in detecting attacks and lateral movement, protecting remotely accessible services, and improving active directory security with a very low rate of false positives. This article will explore deception technologies and how they work and introduce some excellent open-source honeypots you can use to detect threats for free.

What Are Deception Technologies & How Do They Work?

Deception technology is aimed to deceive attackers by setting up decoys and traps that imitate an actual environment. It is a cybersecurity defense strategy that is triggered if an attacker gains access to one of them. Once one of these decoys is triggered it will monitor the attack and log all events.

Once the attacker infiltrates the decoy and all events are logged, these logs can be used to find out how attackers plan to gain access to the network and what actions they will carry out once they are inside. Knowing this information will help organizations defend against these attacks by patching any vulnerabilities the attacker was planning to use and protecting end points and anything the attacker used on the decoy.

What Should I Prioritize in an Open-Source Deception Tool?

There are many open-source deception technology tools available to use right now, but before choosing one, here is what you should look for in these tools. 

Concealment

Deception tools are not always decoy assets. Sometimes the goal is to conceal sensitive data. This would limit the severity of attacks if the adversary were not able to see the hidden data.

Redirection

A good deception technology tool will be able to redirect attackers from production systems to the decoy targets. The goal of these tools is to not let the attacker know of the decoy, but rather think they are attacking the actual production environment.

Does it cover every environment in need of protection?

The chosen deception technology tool should cover the types of environments of the user. For example, if a user is choosing a deception tool and they use cloud environments, they should check if the tool covers it. There are many different environments that users would want covered, such as cloud, hybrid, IoT, network infrastructures, and more. Therefore, it is critical to know what environments the tool you are choosing covers.

How effective is it with different types of attacks?

Ideally, it would be best to choose a deception tool that covers all types of attacks and all activity carried out by adversaries, such as reconnaissance activity, stolen credentials, AD attacks, lateral movement in general, and so on.

How comprehensive is it?

Does the chosen tool cover endpoints? What types of deception lures are available? Does it cover servers, applications, databases? These are important questions to ask when looking for the right tool for you.

How authentic is the deception?

It is important that the deception is authentic, to trick the attackers. If it is not authentic and will not fool anyone, then it is of no use. It is important to know if the deception technology can emulate the actual environment. Some tools even deploy fake users to show activity, and so on.

Is it difficult to deploy and operate?

Some of these tools are easy to use, some are scalable, some offer automation. It is important to know about all this information before deciding on which tool to use.

How well does it identify, analyze, and report attacks?

It is also beneficial to know if the tool can identify attacks without known attack patterns or signatures. Moreover, can it collect data from attacker engagement and present it in a usable format?

Know the Enemy: Using Honeypots for Threat Detection

What Is a Honeypot & How Does It Work?

A honeypot is a type of deception technology that is a network-attached system set up to attract attackers and study attempts to gain access to the environment. It presents itself as a vulnerable target on the network and sends alerts of access attempts so that any attacker activity is monitored.

Honeypots are placed in demilitarized zones on the network so that it is kept isolated from the main production network. It consists of applications and data that mimic the behavior of a real environment and appears to be a part of a network, but it is isolated. Any attempts to communicate with the honeypot is considered hostile and triggers alerts. Monitoring the honeypot and logged activity provides organizations with information on threats and vulnerabilities.

Usually, honeypots are set up and hosted on virtual machines, so that they can be quickly restored if they are compromised. Having two or more honeypots forms a honeynet, and a centralized collection of honeypots is called a honey farm.

Data control and data capture are two critical requirements of honeynets. Since they are extremely customizable and flexible, they can be built and set up in different ways. Data control mitigates risk and controls the attacker so that non-honeynet systems are not compromised. Data capture collects the attacker’s activity on the honeynet. For organizations with multiple honeynets or a honey farm, data collection is also a requirement. Organizations with a honey farm will have to collect data to a central location.

Open-Source Honeypots that Detect Threats for Free

There are many open-source honeypots that detect threats for free, it is critical to do some research on the tools to find ones that better fit each person’s or organization’s needs. Moreover, when deploying honeypots, it should be done with caution as if they are not properly set up or isolated, they could provide the attacker with access to the actual network and compromise it.

• Modern Honey Network (MHN)is a user-friendly, easy to install, honeypot that runs on a centralized server. It combines Snort, Kippo, Dionaea, and Conpot. 
• Honeydrive is a GNU/Linux distribution that comes pre-installed. It offers a host of active defense capabilities and can be viewed as the “anti-Kali”.
• Cowrie is a SSH honeypot which mimics an interactive SSH server and command responses can be customized. It logs brute force attacks as well as attacker shell interactions.
• Dionaea is a multi-protocol honeypot that covers everything from FTP to SIP. It excels in SMB decoys and can simulate malware payload execution to analyze multi-part stagers.
• Cuckoo Sandbox is a sandbox rather than a honeypot; however, it is a great tool for malware analysis as it provides a detailed report on the executed code.
• Thug is a “honeyclient” that emulates a web browser to analyze client-side exploits.
• MongoDB-HoneyProxy is a honeypot proxy that mimics an insecure MongoDB database, logging all traffic to a dummy MongoDB server.
• ElasticHoney emulates an elastic search instance, and searches for attempted remote code execution.
• Canarytokens helps you track activity on your network by positioning decoy data across your systems.
• Honeything is a honeypot for IoT devices supporting the TR-069 (CWMP) protocol. It acts as a modem/router with a RomPager embedded web server.
• Conpot can be used to emulate complex infrastructures to attract attackers to a huge industrial complex. It is designed to be easy to deploy, modify, and extend. Moreover, it comes with a web server that can emulate SCADA HMI.
• GasPot is good for organizations in the oil and gas industry as it mimics a Veeder Root Guardian AST, which is usually used in that industry.

Final Thoughts 

Deception technology is critical in detecting and eliminating modern threats to Linux systems to maintain a robust security posture. Honeypots are a highly effective type of deception technology with a very low rate of false positives. The open-source honeypots discussed in this article are a free and reliable way to identify and stop malware and other attacks before damage is done. 

Are you using one of these honeypots? Comment below- we’d love to hear how your experience has been!