Nowadays, many organizations suffer from security breaches and data leakage and this keeps increasing with available tools online which can be used by script kiddies with no knowledge of their impact on the organization or on black hat hackers with malicious intents. According to statistics majority of attacks are unknown to the security vendors, DoS, account hijacking and other attack vectors. I retrieved the diagram from hackmageddon the diagram of the attacks for 2013 and it clearly illustrate the attacks.
Due to the complexity of attacks and intelligence level attackers, the organizations are considering implementing honeypots to lure the attacks and dodge them.
Today I would like to talk about honeypots and how they are being evolved to meet the demand s of the security. Honeypot is trap to lure the hackers or a mirror of the actual production system to deflect the actual attacks. Currently many organizations implement honeypots to create fake clone systems either to lure or to mislead the attacker. The security researchers implement honeypots to learn about attack vectors, malware analyses and the behaviour of the attackers.
Generally honeypots is a trap which detects or deflect the attempt of an attack against organization and information systems. Honeypots are generally computers or virtual machines which appear to be in the same network as the target application or system and have mirror application which could look like candy land for an attacker but they are completely isolated, fake and well monitored. Honeypots can be seen and set in other forms as well, such as: files, IP, data records and so on.
Honeypot is important features and security mechanism as a Watchdog and early warning mechanism for the company, and having gathered these informations, the company can take proactive measures.
The security administrators can audit the activity of the attacker and learn what type of vulnerability the attacker is exploiting and how he is approaching the system, with these informations the design of security can be modified in the real IT infastructure.
The hacker / hackers could be cought while the hacker attempts to get into the root privilege level accesses or obtaining confidential data (fake confidential, but hacker might not know that just yet).
Simple Honeypot creation using opensource software.
HOneyd is honeypot for *unix systems and can create multiple virtual hosts and various Operating Systems. The OS emulation is achieved by responding in a similar way the OS responds with it TCP/IP responses (That is how normally nmap detects operating systems). When the attack occurs the Honeyd can detect and log the perpetrators for further analyses. The link to the software can be found here: https://www.honeyd.org/
I would like to talk now specifically on honeypot called Beeswarm which was created during GSoC 2013. Beeswarm is honeytoken like honeypot which make use of client side traffic to detect attacks and gather information. They are mainly used to be abused by the attackers and log the information. This type of honeypot can simulate variety of services from HTTP(S) to Database emulation.
The honeypots (beeswarms) can be configured to pretend that the attack has succeeded message to the attacker and give false data and gaining information about the attack type and attacker. The honeypots can be configured to variety level and customization.
Beeswarm can have automated or manually created clients and services and detect expected and unexpected traffic. Beeswarm consist of mainly three parts: Hive, Feeder and a Beekeeper.
Hive is actual server which runs client applications like, https, http, ssh, ftp or smtp.
Feeder is used to lure attackers and let them login and do malicious activities.
Beekeeper is end point web GUI and it audits and session made on the Hive servers. It can determine whether the session is from malicious user or legitimate.
This type of technology can be used to prevent MITM attacks on the production environment without any third party tools.