Honeypot technology: how to track the activity of attackers?

Many of you may be familiar with the terms "honeypot" and "honeynets. Although, strictly speaking, some people may think of them as tools of security researchers, they can also benefit the enterprise if used properly. In this article, we use the "honeypot" and "Honey network" to represent the same meaning. Honeypot generally attempts to simulate a larger and more diverse network, provide a more trusted attack environment for hackers.

A honeypot is an isolated set of systems. Its primary objective is to lure attackers into launching attacks by exploiting real or simulated vulnerabilities or vulnerabilities in system configurations (such as a password that is easy to guess. The honeypot attracts attackers and records their activities to better understand their attacks. There are two types of honeypot: High-interaction honeypot and Low-interaction honeypot.

Type and compromise

A high-interaction honeypot is a system that is equipped with a real operating system (non-analog) and can be completely cracked. Interacting with attackers is a real system that includes a complete service stack. The system is designed to capture detailed activity information of attackers in the system. The low-interaction honeypot only simulates a part of the real operating system (such as network stacks, processes, and services), such as simulating a certain version of the FTP (file transfer protocol) service, the Code contains a vulnerability. This may attract the worm to search for vulnerabilities in the vulnerable part of the service, so that you can observe the behavior of the worm in depth.

However, when you use these two Honeypot, you need to make some compromise. The highly interactive honeypot for network security provides real-world operating system services and applications so that it can obtain more reliable information about attackers, which is its advantage. It can also capture a large amount of information from attackers on the compromised system. This may be very helpful, for example, when an organization wants to collect detailed and authentic data about how attackers can find a specific type of system to increase the appropriate defense. On the other hand, it is very difficult to deploy and maintain these honeypot systems, and there is a high risk of side effects: for example, a broken system may be used to attack other systems on the Internet.

Although the low-interaction honeypot is easy to establish and maintain and generally protects attackers, the simulation may not be enough to attract attackers, but may also cause attackers to bypass the system to initiate attacks, in this case, the honeypot becomes invalid. Whether or not to deploy a honeypot depends on what your final goal is: if the target is to capture detailed interaction between the attacker and the system, high interaction honeypot is a better choice; if the target is to capture a malicious software sample for a vulnerable service version, it is sufficient to use a low-interaction honeypot.

When you decide which honeypot to use for deployment, another important factor to consider is whether the honeypot is installed on a physical system or several virtual machines installed on the physical system. This will directly affect the system maintenance workload. Although the virtual system itself does have a series of security issues, the virtual system allows rapid reply, and can significantly shorten the deployment and redeployment time.

Honeypot deployment

Both high-interaction honeypot and Low-interaction honeypot are designed to not carry out traditional target activities on the Internet. In other words, unless required by the operating system, the honeypot system does not run other processes, services, and background programs. In fact, this idea regards all the interactions related to the honeypot as objects suspected of malicious activities, which is conducive to attack detection. Before discussing the best practices of honeypot deployment, let's take a look at the commonly used high-concurrency and Low-interaction honeypot.

Generally, high-interaction honeypot can be installed on the underlying operating system without special software. Generally, installing a VMware workstation or using a virtual machine similar to QEMU is enough to meet the operating system requirements of the honeypot (typically, the customer's operating system on the host runs virtual software ). After the underlying operating system is installed, the focus of the next step is to set up the honeypot (the customer's operating system) for reasonable monitoring. This configuration is divided into two parts: monitoring host operating system and monitoring customer operating system. The host operating system should focus on packet capture for inbound and outbound traffic from the honeypot. This process can be completed using programs such as tcpdump or Wireshark. In addition, if the customer's operating system is infected, malicious out-of-band connections may cause potential additional harm. In this case, the user wishes to be warned in advance, this is also called extrusion detection ). This can be done using a local access control list similar to iptables (or host-based firewall. The execution of in-band filtering is essentially part of the control over the type of attacks on the honeypot. You can combine the host operating system traffic filtering and intrusion detection systems (such as Snort) to obtain the additional alarm capability (Signature-based alarm) for known attack media ).

To monitor the customer's operating system or the actual target of an attack, it is necessary to capture all the activities of the attacker, such as tracking the key disk record activity, recording the tools used by the attacker, and recording the expanded access attempts. Sebek is a tool that can complete the above large-scale data collection activities. In addition, some highly interactive virtual honeypot systems worth attention include Linux and Argos in user mode.

Unlike high-interaction honeypot, low-interaction honeypot requires special software to be installed on the host operating system, and further configuration is required to effectively simulate defective services. Popular low-interaction honeypot technologies include Nepenthes and subsequent products Dionaea and mwcollectd.

Low-interaction honeypot is creatively configured with a variety of detection functions, including extensive recording, malware capture, real-time security event notifications, and remote analysis by submitting malware activities. Their functions can be further improved by using the log-IRC append module in Nepenthes, which can be used together with the Dionaea and p0f modules to passively identify remote operating systems. Dionaea also supports the XMPP (Scalable Message Field Protocol) module, which can achieve binary sharing of malware between enterprises and security communities, so as to improve user security awareness.

I have encountered some Deployment best practices related to high-interaction honeypot monitoring. These practices implement intra-and out-of-band filtering and network intrusion detection. These functions need to be enhanced, and the isolation between the honeypot and the normal network needs to be enhanced. Ideally, the honeypot environment should be deployed on its own Internet portal, while the host operating system management should be placed on another independent network. On the other hand, low-interaction honeypot cannot be completely broken by attackers, so their protection work should be simpler. Using programs such as chroot, you can isolate the low interaction honeypot system into a small file system. In addition, the low-interaction honeypot system must be completely isolated from the normal network. Otherwise, the low-interaction honeypot system will still be exposed to the same threats as the high-interaction honeypot system.

Typical applications

One of the main purposes of honeypot is to collect malware samples. These samples may exploit zero-day vulnerabilities or known attack vectors. Honeypot allows researchers to have a better understanding of the above attacks. For example, the honeypot can provide real-time attack traffic by monitoring IRC control channels. They also have the ability to passively identify the attacker's operating system type, or store/replay attack activities. In addition, they allow researchers to share threat information (such as XMPP), or submit samples to online sandbox and multi-virus scanning tools (such as VirusTotal, Jotti, ThreatExpert, and CWSandbox) for further analysis.

The areas where honeypot collects malware activity can be extended to bot and botnet ). Botnets are distributed and rely on the use of remote command channels (generally through IRC and HTTP). They often use zero-day attacks or known attack vectors, this architecture allows the honeypot to be well tracked and analyzed.

For enterprises, honeypot is far more practical than above. However, the effectiveness of honeypot depends largely on whether a good design can be made. Any design defect (for example, inadequate isolation, lack of monitoring and real-time alarm capabilities) can turn the honeypot into a serious liability, rather than an asset that can manage risks. When using Honeypot, proper care and caution are necessary. If you do not have enough experience but want to use a honeypot, you need to consult with trained professionals from time to time.

Author: Anand Sastry