Join Lisa Bock for an in-depth discussion in this video Implementing a honeypot, part of IT Security Foundations: Network Security.
- A Honeypot is a system set up to lure a would-be attacker, with a goal of observing their behavior, in order to learn attack methodologies to better protect the real network, and to gather forensic evidence required to aid in the apprehension, or prosecution of intruders. Placement of a Honeypot depends on your objectives, it can be inside the LAN, in the DMZ, or outside as a tasty treat for a would-be attacker. Use caution, and it may be best to keep it in the DMZ, because even though this is a fake system, they are essentially in your network.
A Honeypot many times is part of an intrusion detection system, but keep in mind, the main focus is on gathering information. Once an intruder breaks into a system, many times they will come back for subsequent visits where more information can be monitored and saved. Keep the system as generic as possible, if you soup up the system too much, an attacker may disconnect. Put interesting data in the system, to appear as if they hit a valuable target.
Information may not be admissible in court, and too many traps might inspire the hacker community. So be careful, there are blogs out there that share information on honeypots and honeynets. Here I'm at this website, where we can see a little bit of information gleaned, in a blog about some stats found in Most cost commonly guessed password, and Most Common Userid. Course those are ones that we'd want to avoid using on our system. Use the Log, and from those we can glean some information, such as if it's a human or automated system or malware.
A human will be slow, have misspellings, directed commands using previously gained knowledge of the targeted network. Automated will be fast, no misspellings, more of a shotgun approach, trying everything. And Gather Information, such as, where is the attacker? What is their target? What is the operating system targeted? And what are the vulnerabilities? What could be their ultimate goal? Vandalism? Theft? Many times if you get an out of the box honeypot it may contain logging capabilities.
Also included would be a sniffer, that could be stored and used for forensic purposes. I'm at The Honeynet Project, and here you can see information about challenges that are posed, so you can learn more about honeypots and honeynets. I've downloaded and extracted attack-trace.pcap, I'll just show you one thing, for example, where would the attack be coming from? I'm in Wireshark, a free protocol analysis tool, and just looking at this, you see that the first three packets are part of a three-way handshake.
The first packed in the three-way handshake is the SYN packet, now this comes from the client, so we know that the IP Address of the client is 18.104.22.168, but where is that IP Address? I'm going to go down to the IP Protocol header, and I'm going to right-click, and I'm going to say Copy, the Value. Where I'll type ip, and then the value.
This will give me a geo-location, of where the possible attack came from. This information, if you find it to be consistent, you should possibly look into it, and continue to gather information.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security