Honey potsIn case you do not know what a honey pot is, a honey pot is a system that appears to be a vulnerable system. This allows the owner of the honey pot to observe attacks on the system to learn from them so that the owner can better defend the systems with real data. Honey pots can be an effective tool to help defend your network by providing valuable intelligence. However, they can only be effective if they are set up correctly (just like any other defensive measure you might deploy).
There is nothing of value kept on the honey pot, but for a honey pot to be effective, it must look like it belongs in the network. This means that it should have data that looks like it might belong to the organization or be set up in a way that is similar to other hosts in the network. Therefore, if the honey pot looks fake or out of place, the attacker might change tactics. At best, the attacker will avoid your network to avoid compromising his tactics. At worst (and more realistically), he will adapt and change his techniques to avoid or degrade the honey pot so that it is no longer effective. If you deploy the same honey pot elsewhere in your network, the attacker may know how to find those other honey pots and steer around them.
So, when setting up a honey pot (or anything else), be sure to alter the defaults so that it does not become low hanging fruit.
An exampleWhen Shellshock (CVE-2014-6271) was a big thing last year, it was interesting to see how many related vulnerabilities were found in quick succession. Given the popularity of Shellshock, a honey pot was developed called Shockpot that allowed researchers, defenders, or curious people to deploy it to watch attackers try to use Shellshock.
In its default configuration, the server presents a very specific (fake) webpage that we can use to find default Shockpot installations. Here is the configuration file (from the GitHub page):
Hopefully, other defense mechanisms in your network will help you see an attacker poking at your network, but a default honey pot will likely not gain you much.
ConclusionHoney pots are one tool in the tool box for a network defender. But as with any network defense tool, it requires set up and maintainence to be effective. So when you are considering deployment of a network defense measure, think through it:
Ask questions such as:
- How can I tailor this tool to my network so that an attacker does not notice it? Changing default configurations goes a long way.
- How can I deploy the tool in the right place in my network so that it will be the most effective? A honey pot on the inside of the network may be good for insiders or attackers that are already in, but will probably not do anything for you to gather information about threats hitting your perimeter.
- Does this tool clash with other tools I already have deployed? For example, if you put your IDS inside of your firewall, you will catch potential intrusions that make it past your firewall, but what about those that do not? Some of them may be script kiddies, but some of the traffic might be a precursor to an intrusion event.
- Will I monitor and digest the output of the tool? If you have an IDS or honey pot that is providing information about potential attacks, but you ignore it, then it is not doing any good. If you do not have the resources necessary to make use of the information that the tool is trying to tell you, then you may need to reconsider deploying it.