Open-Source Honeynets: Detect Threats For Free
Cyberattacks are rapidly evolving, posing a bigger threat to organizations’ security than ever before. Deception technology is invaluable in detecting advanced attacks and reflecting the costs of these exploits back onto the attackers. Are you looking for a way to recognize the benefits of deception technology for free? Deploying open-source honeynets makes this possible. Smokescreen Product Manager Amir Moin explains, “Deception technology is an effective approach to threat detection. However, some organizations might be apprehensive about investing time and money into this technology without being certain that it will work for them. Security teams at these organizations can use open-source honeynets to “test the waters” and demonstrate value to management without spending a dime.” Here are some great open-source honeynet options you may want to consider:
- Modern Honey Network (MHN) is a centralized server for honeypot management and data collection. It combines Snort, Kippo, Dionaea and Conpot. MHN is user-friendly and easy to install.
- Honeydrive is a GNU/Linux distribution that comes pre-installed and offers a host of active defense capabilities. It can be viewed as the “anti-Kali”.
Network Services Honeynets:
- Cowrie is a medium to high interaction SSH honeypot which emulates an interactive SSH server with customizable responses to commands. It is designed to log brute force attacks and the shell interaction performed by attackers.
- Dionaea is a multi-protocol honeypot that covers everything from FTP to SIP. It excels in SMB decoys, and is able to simulate malware payload execution to analyze multi-part stagers.
Honeyclients and Malware Analysis:
- Cuckoo Sandbox is not technically a honeypot; however, it’s an excellent sandbox for malware analysis. This tool allows you to safely execute possible malware samples, and it provides a comprehensive report on the code executed.
- Thug is a low-interaction “honeyclient” that mimics the behavior of a web browser to analyze client-side exploits.
Database and NoSQL Honeynets:
- MongoDB-HoneyProxy is a honeypot proxy that emulates an insecure MongoDB database, logging all traffic to a dummy MongoDB server.
- ElasticHoney emulates an elastic search instance, searching for attempted remote code execution (RCE).
- Canarytokens by Thinkst Applied Research let you position decoy data across your systems for attackers to trigger, helping track activity on your network.
Internet of Things (IoT) Honeynets:
- Honeything is a honeypot for Internet of TR-069 Things. It is designed to act as a modem/router with RomPager embedded web server. It supports the TR-069 (CWMP) protocol.
- ConPot emulates a wide range of operational technology control system infrastructures, and is designed to be easy to deploy, modify and extend. It provides common industrial control protocols, which can be used to build a system that mimics complex infrastructures to convince a malicious hacker that he or she just found a huge industrial complex. This honeynet also comes with a web server that can emulate a SCADA HMI.
- GasPot emulates a Veeder Root Guardian AST that is commonly used in the oil and gas industry for monitoring.