You’ve probably heard the phrase about “canaries in a coal mine.” In the mid 1900s, a guy named John Haldane figured out that birds die pretty quickly when poisoned by carbon monoxide, after which coal miners started using them as early warning systems for toxic gas. We need the same for computer security. No defense is infallible, so organizations need digital canaries to warn us about poisoned networks.
When you think about the layers of security your business needs, you probably think about firewalls, authentication systems, intrusion prevention, antivirus, and other common security controls. However, I suspect few think about honeypots. That’s a shame, as honeypots make perfect network security canaries, and can improve any organization’s defense.
As an infosec professional, you’ve probably heard of a honeypot—a digital trap set to catch computer attacks in action. In essence, honeypots are systems that mimic resources that might entice an attacker, while in reality they’re fake systems designed to contain and monitor attacks. In the same vein, a honeynet is just a collection of different honeypots.
There are many different varieties of honeypots, each designed to recognize and observe diverse types of attacks. Some catch network attacks (Honeyd), others catch web application attacks (Glastopf), and some are designed to collect and observe malware (Dionaea). You can check out The Honeynet Project for a fairly complete list of different kinds of honeypots.
These different honeypots also have varying levels of depth. For instance, a low-interaction honeypot might just emulate basic network services, perhaps only presenting a service banner and command prompt, but not offering much interaction to potential attackers (making them easier for attackers to detect). Whereas, high-interaction honeypots can imitate full server systems, tricking hackers into carrying out their attacks further, allowing you to analyze them in depth.
With all the different varieties to choose from, each with varying levels of capability, honeypots might sound a little over complicated and perhaps too cumbersome for a small organization. In fact, some of the research-focused ones are certainly overkill for anyone but security academics. However, you don’t need the most complex feature-packed honeypot for our simple purpose.
A production honeypot is a relatively low maintenance system, primarily used to detect attacks (rather than fully emulate and analyze them). Production honeypots make great network canaries. Over the years, production honeypots have evolved and become much easier for the average Joe to deploy. While most honeypots began as command line Linux packages, requiring manual installation and configuration, new solutions have surfaced making these packages more user-friendly, even for Linux newbies.
For instance, lately a number of Live CD distributions have come out specifically made for honeypots and honeynets. Rather than having to install a Linux distribution (distro) from scratch, and configuring everything yourself, these live honeypot distros have everything set up and ready to go. All you have to do is boot from a USB key or spin-up a virtual machine. Best of all, these honeypot distros are free. Three great examples include: HoneyDrive, Active Defense Harbinger Distribution (ADHD) and Stratagem.
If the convenience of live honeypot distros wasn’t enough, newer honeynet projects have also made the older command line tools much easier to use. For instance, Project Nova adds a GUI, and many additional capabilities, to the trusty and popular Honeyd project. Nova makes Honeyd much more approachable to the average IT guy, making it dead simple for you to deploy a simple production honeynet in even the smallest organization. Better yet, Nova comes preinstalled in distros like ADHD, so all you have to do is boot ADHD, start Nova, and you are ready to experiment.
With all these easy and free options, there’s little excuse not to at least try a honeypot. I suggest starting with the combination I mentioned above. Use the ADHD ISO to create either a bootable USB drive or virtual machine, spin it up, and give Nova a try. When you first boot ADHD, you’ll see a “Usage documentation” link on your desktop. Double-clicking it will bring up a file that shares all the information you need to know to get started with some of the honeypot packages, including Nova. Or just refer to this guide on how to get Nova started.
If you run Nova with its default settings, it sets up three fake honeypot machines—a Linux server, Windows Server, and BSD Server—and it monitors them for network connections. These basic honeypots act like those canaries in coal mines, warning you of dangerous activity. If Nova sees unusual connections to these machines, you know someone might be snooping around your network. Nova will also monitor for other types of attack traffic too, and warn you when it finds any IP addresses that act suspiciously.
Once you set up this simple honeynet, all you have to do is occasionally monitor it for weird activity. However, after seeing what this simple setup can do, you might find you’re intrigued by the capabilities of honeypots. If so, there’s a lot you can explore in ADHD and Nova. For example, rather than sticking with Nova’s default setup, you can add a bunch of fake nodes that emulate your actual server setup. You can also explore the other types of honeypots ADHD provides, such the web application honeypot, Weblabyrinth, or file system honeypots like Artillery.
Whether or not you deeply explore all the available honeypots is up to you, but you really should consider installing at least a basic one. All the big public data breaches over the past few years have shown us that we’ll never have impermeable defenses. No matter how many walls you build around your information, attackers will find weakness, and you data will leak out. That’s why honeypots can play a crucial role in your organization’s security strategy as the digital canary warning you before impending disaster.