Know The Enemy: Upgrade Your Threat Detection Strategy with Honeynets
Honeynets are an invaluable offensive security tool for learning the tactics and motives of the blackhat community and sharing the information and insights gathered. This article will explore what a Honeynet is, its value, how it works and the risks involved with deploying a Honeynet. It will also examine some great open-source honeynet options your organization may wish to consider.
A Honeynet is a type of honeypot - or resource whose value is being probed, attacked, or compromised - that is designed specifically for research. The traditional value of honeypots has been their ability to deceive blackhats and detect attacks. Smokescreen Product Manager Amir Moin elaborates on the value of honeypots: “Organizations can reap a myriad of benefits from deploying honeypots as part of a comprehensive threat detection strategy. Quality deception technology can help identify targeted threats with a very low rate of false positives. This technology is highly effective in detecting credential phishing attacks, identifying privilege escalation and lateral movement, protecting remotely accessible services and improving active directory security.” A Honeynet is different from a traditional honeypot - it can be categorized as a research honeypot. This does not make it a better solution than a traditional honeypot; merely it has a different purpose. Instead of a honeynet’s value lying in the ability to detect or deceive attackers, its value lies in the ability to gain information on threats. The two biggest design differences between classic honeypots and honeynets are: It is these two design differences that make a Honeynet primarily a research tool. It can be used as a traditional honeypot, for purposes such as detecting unauthorized activity; however, a Honeynet requires significantly more work, risk and administration. It is simply not worth the effort of building and maintaining a Honeynet merely to detect attacks. For the sole purpose of detecting attacks, administrators are far better off with the simpler honeypot solution mentioned above. Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this purely defensive approach is that the enemy is offensive and on the attack. Honeynets attempt to change this approach to security by giving organizations the ability to be proactive and take the initiative. The primary purpose of a Honeynet is to gather information about threats that exist. New tools can be discovered, worms can be captured and analyzed before they do extensive damage and attack patterns can be determined. Captured information can also be used as an early warning system, alerting users of attacks before they happen. Honeynets can also provide an organization with valuable information on its own security risks and vulnerabilities. Honeynets can consist of the same systems and applications that an organization is using for its production environment. Risks and vulnerabilities that exist in a Honeynet (which is far more closely monitored and analyzed) identify risks and vulnerabilities in an organization's production environment. For example, a company may want to implement a new web server interface for credit card use. Both the system and application can first be tested in a Honeynet environment to identify any unknown risks or vulnerabilities. Additionally, a Honeynet can help an organization develop its Incident Response capabilities. It can vastly improve an organization’s ability to detect, react to, recover from and analyze systems that have been compromised. The advantage of analyzing these compromised systems is that, since most of the answers already exist, these systems can be viewed as a 'challenge', allowing organizations to test their abilities to determine what happened using various forensic techniques. These results can be compared to the data captured from within the Honeynet. This information can also be used to determine if any other systems within an organization’s production network have been compromised. Conceptually, Honeynets are a simple mechanism. In many ways, a honeynet is similar to a fishbowl - researchers and security professionals can see everything that happens inside it and watch for and monitor attackers in the network. Also, just like a fishbowl, there are many options for adding to and altering a Honeynet. Traditionally, the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. The challenge for most organizations is determining from vast amounts of information what is production traffic and what is malicious activity. Tools and techniques such as Intrusion Detection Systems, host based forensics, or system log analysis attempt to solve this problem by using a database of known signatures or algorithms to determine what is production traffic and what is malicious activity. However, information overload, data pollution, unknown activity, false positives and false negatives can make analyzing and evaluating activity extremely difficult. Like all honeypots, the Honeynet solves this problem of data overload through simplicity. A Honeynet is a network designed to be compromised, not to be used for production traffic. Thus, any traffic entering or leaving the network is suspicious by definition. Any connection initiated from outside the Honeynet into the network is most likely some type of probe, attack or other type of malicious activity. Any connection initiated from the Honeynet to an outside network indicates that a system was compromised - an attacker has initiated a connection from his newly hacked computer and is now going out to the Internet. This concept greatly simplifies data capture and analysis. There are two critical requirements that define every Honeynet: Data Control and Data Capture. If there is a failure in either requirement, then there is a failure within the Honeynet. Honeynets are extremely flexible tools; they can be built and deployed in a variety of different ways. As a result, almost no two Honeynets look the same; however, they must all meet the requirements of Data Control and Data Capture. Data Control is what mitigates risk. It controls the attacker's activity by limiting what can happen both inbound and outbound. The risk is that once an attacker compromises a system within the Honeynet, they can then use that system to attack other non-Honeynet systems, such as organizations on the Internet. The attacker must be controlled so they cannot compromise non-Honeynet systems. Data Capture collects all the activity that happens inbound, outbound, or within the Honeynet. It provides valuable insight by capturing attackers’ activities. The trick is to both control and capture attackers’ activity, without them realizing that they are within a Honeynet. There is a third requirement, Data Collection; however, this is only for organizations that have multiple Honeynets in distributed environments. Many organizations will have only one Honeynet, so all they need to do is control and capture data. However, organizations that have multiple Honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. By doing this, the captured data can be combined, exponentially increasing its value. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed Honeynets. As stated above, data control is the containment of activity. When dealing with blackhats, there is always risk that must be mitigated. It is critical to ensure that once compromised, a honeypot cannot be used to harm any system outside the Honeynet (anything inside the Honeynet is fair game). However, the challenge is to control the data flow without making blackhats suspicious. Once a system is compromised, blackhats will often require Internet connectivity, such as retrieving toolkits, setting up IRC connections, etc. We have to give them the flexibility to execute these actions, as these are the very steps we want to learn and analyze. Also, blackhats may become highly suspicious if they cannot initiate any outbound connections. We made that very same mistake with our first honeypot. We did not allow any outbound Internet connections. It took the blackhat only fifteen minutes to figure out something was wrong, wipe the system drive, and leave the network. So, the trick is to give the blackhat flexibility to execute whatever they need, but without allowing them to use the compromised system to attack others with Denial of Service attacks, system scans and other types of exploits. Data Capture encompasses the capturing of all malicious activities that occur within a honeynet. It is these activities that are then analyzed to learn about the blackhat community. The challenge is to capture as much data as possible, without blackhats figuring out what is going on. This is done with as few modifications as possible, if any, to a honeypot. Also, data captured must be stored remotely - it cannot be stored locally on the honeypot. Information stored locally could potentially be detected by the blackhat, alerting them that the system is a Honeynet. Data stored locally is at risk of being lost or destroyed. Successful Data Capture is done in layers - no single layer will capture adequate information. Rather - data must be gathered from a variety of resources. Only a multi-layered approach reveals “the big picture”. The first layer of logging activity is the firewall. The firewall logs all connections initiated to and from the Honeynet. This information is critical, as all connections are suspicious. Firewalls should be designed not only to log all connections, but to also alert the administrator whenever a connection is attempted. This is extremely useful for tracking scanning patterns. Additionally, a firewall can detect backdoors or proprietary ports. Most exploits create a shell or backdoor on a system. These backdoors are easy to detect when the firewall alerts of a connection on a system on a random high port. The firewall should also send an alert when a honeypot on the Honeynet initiates an outbound connection. The firewall once again logs this activity - indicating that a system was compromised. Another critical layer is the IDS system, which has two purposes. The first, and by far most important, is to capture all network activity. The primary job of the IDS is to capture and record every packet that hits the wire. The IDS system resides on a 'port monitoring' port, so it can record all network activity. These records are then used to analyze blackhats’ activities. The second function of the IDS system is to alert an administrator of any suspicious activity within the honeynet. Most IDS systems have a database of signatures. When a packet on the network matches a signature, an alert is generated. This function is not as critical for a Honeynet, as any activity is considered suspicious by nature. However, IDS systems can provide detailed information about a specific connection. Data Control and Data Capture are two requirements for Honeynet technologies. Any time an organization deploys a Honeynet, it is critical to ensure that these standards are met. Data Collection is different in that it is optional. Data Collection is the aggregation of data from multiple Honeynets to a centralized point. Its purpose is to exponentially increase the value of information collected. Most organizations deploy only a single Honeynet, so Data Collection does not apply. However, some organizations deploy multiple Honeynets. In these cases, there needs to be a standard for Data Collection. When part of a distributed environment, each Honeynet is assigned a unique identifier. Data sent by each Honeynet to a central location is tagged with the unique identifier. This data is then forwarded by each Honeynet to the single data collection point. Virtual Honeynets take the same concepts used in classic Honeynets and implement these concepts into a single system. This implementation has both advantages and disadvantages over clasic Honeynets. The advantages associated with deploying virtual Honeynets are reduced cost and easier management, as everything is combined on a single system. However, this simplicity comes at a cost. Virtual Honeynets limit the types of operating systems you can deploy by the hardware and virtualization software they require. In addition, virtual Honeynets carry increased risk - as an attacker could potentially break out of the virtualization software and take over the Honeynet system, bypassing Data Control and Data Capture mechanisms. Cyberattacks are rapidly evolving, posing a bigger threat to organizations’ security than ever before. Deception technology is invaluable in detecting advanced attacks and reflecting the costs of these exploits back onto the attackers. Are you looking for a way to recognize the benefits of deception technology for free? Deploying open-source honeynets makes this possible. Smokescreen Product Manager Amir Moin explains, “Deception technology is an effective approach to threat detection. However, some organizations might be apprehensive about investing time and money into this technology without being certain that it will work for them. Security teams at these organizations can use open-source honeynets to “test the waters” and demonstrate value to management without spending a dime.” Here are some great open-source honeynet options you may want to consider: Honeynets are not a "fire and forget" solution- they are a complex type of honeypot that requires constant maintenance, administration and vigilance. For maximum effectiveness, administrators need to detect and react to incidents as soon as possible. By watching blackhat activities in real-time, one can maximize Data Capture and analysis capabilities. Also, to detect the unknown, suspicious activity must constantly be reviewed. This requires extensive time and analysis capabilities. For example, in just 30 minutes a blackhat can do enough damage to a compromised honeypot to require 30-40 hours in order to fully understand what happened. Constant maintenance is also required to ensure operability of a Honeynet. If something goes wrong - which is definitely not uncommon - the Honeynet Your alert processes may fail, disks can fill, IDS signatures can become outdated, configuration files can become corrupted, system logs will need to be reviewed and firewalls will need to be updated and patched. This represents just a small portion of the constant care and feeding that is required for a Honeynet to be successful. Your work has only begun when you implement a Honeynet! Virtual Honeynets eliminate some of the headaches associated with deploying and maintaining a Honeynet by combining all the elements of a Honeynet onto one physical system. Not only are all three requirements of Data Control, Data Capture, and Data Collection met, but the actual honeypots themselves run on the single system. The honeypots are actual operating systems. Nothing is emulated. The advantage here is one of both cost and efficiency. It is much cheaper to use a single system to run all the elements of a Honeynet, and it is much easier to deploy and maintain. Also, there are risks involved with building and implementing a Honeynet that must be considered. Before deploying a Honeynet, it is important to understand and acknowledge that blackhats will be attacking and compromising these systems. By setting up a network to be compromised, administrators expose both themselves and others to risk. They assume a responsibility to ensure that the Honeynet, once compromised, cannot be used to attack or harm other systems. However, with an Honeynet environment, there is always the potential for something to go wrong. There are a variety of measures that can be implemented to mitigate this risk; however, it is quite possible for a blackhat to develop a method or tool that allows them to bypass these access control methods. Also, one needs to be constantly testing and updating the environment to ensure control measures are working effectively. Never underestimate the creative power of the blackhat community! The use of a firewall, routers and other techniques can help mitigate the risk of a Honeynet being used to damage other systems. However, there is risk associated with any Honeynet regardless. Finally, Honeynets should not be viewed as a solution for all of an organization’s security problems. LinuxSecurity Founder Dave Wreski cautions: “Organizations should focus on best practices first, such as strong authentication, use of encrypted protocols, reviewing system logs and secure system builds. By prioritizing proper policies and procedures, risk can be greatly reduced. Honeynets do not reduce risk - they most likely increase it. Honeynets are designed to gather information on the enemy - they will not fix unsecured servers, nor will they fix bad processes or procedures.” Honeynets are a type of honeypot designed to gather information - specifically the tools, tactics and motives of the blackhat community. This information can be used to protect organizations against various threats. There are two design differences between traditional honeypots and a Honeynet. The first difference is that a Honeynet is not a single system, but a network of multiple systems and applications. The second difference is that Honeynets are production systems - the same systems found on the Internet. Neither the systems nor the vulnerabilities are emulated. This combination makes Honeynets an excellent research tool. However, Honeynets require a tremendous amount of administrative overhead. The Honeynet administrator has the responsibility of ensuring that no other systems will be attacked from a compromised Honeynet. LinuxSecurity Founder Dave Wreski evaluates the risks and benefits associated with deploying Honeynets: “Without proper administration, the risks of using a Honeynet may outweigh the reward. This tool is not a cure-all or a “band-aid” for fundamental security flaws, and it may not be a suitable solution for every organization. Organizations should first focus on securing their systems. Once secured, they may then be able to utilize Honeynets as a powerful tool to take the initiative and learn more about both the enemy and themselves.”What is a Honeynet?
The Value of a Honeynet
How Honeynets Work
Data Control
Data Capture
Data Collection
Virtual Honeynets
Open-Source Honeynets: Detect Threats For Free
All-in-One
Network Services Honeynets
Honeyclients and Malware Analysis
Database and NoSQL Honeynets
Honeytokens
Internet of Things (IoT) Honeynets
SCADA/ICS Honeynets
Honeynet Care, Feeding and Risk
Conclusion