Security operations centers have SIEMs and log analyzers or custom logs alerts with hundreds or thousands of log feeds with millions of ...

Cyber Threat Intelligence – Lesson One: Know Thyself


Security operations centers have SIEMs and log analyzers or custom logs alerts with hundreds or thousands of log feeds with millions of lines of data every second, correlating, analyzing, and searching for indicators of compromise and anomalies.  Through all that noise what you’re not likely to be able to tell is if that last connection to your website was legitimate or possibly malicious.

Enter honeypots

There are various types of honeypots that can be used for specific scenarios such as detection, deflection, even deception, the type I will discuss are those used to detect attempted unauthorized use of systems.  The honeypots are deliberately vulnerable systems used to observe malicious behavior.  There’s usually no need to advertise these systems, and normal customer and business activity will never interact with them because they are not connected to any business processes.  In this configuration, there are no false positives, every connection to the honeypot is a possible threat because no one should be trying to connect to it.
Honeypots can be deployed internally on your network, for example on the same network as employees or users, or deployed facing the internet to mimic production systems such as an ecommerce site.  The benefit of deploying internally is to observe possible insider threats or compromised systems which may be trying to spread malware across the network.  The benefit of deploying honeypots externally where they’re available via the internet, is to gain insight and quickly visualize your current cyber threats, current vectors of attacks, and possible exposure.

Deploying honeypots can be very simple and instantly become fruitful via the information they provide.  They can be made to be general purpose, low interaction to get a feel for the network and application based attacks directed at your organization or they can be set up with more interaction and mimic your production systems.

Practical applicability

This is not theory, if you deploy a honeypot that is accessible via the internet it will get probed, prodded, and attacked.  Some of this will be generic scans of malicious campaigns looking for specific vulnerable systems and some will be directed specifically towards your organization for a personalized view of targeted attacks. Either way it will provide invaluable information as well as actionable threat intelligence which can be immediately used to reduce your cyber risk. When deployed internally to mimic a file server for example, a honeypot can identify possible malicious insiders or worse you may find out there’s malware on your network attempting to spread.

As a personal project, using virtual server hosting services I deployed three honeypots for a year in data centers in New York, Los Angles, and Netherlands.  These honeypots were internet facing and non-descript, meaning there was nothing labeling them as belonging to any person or organization. The names of the servers where just a jumble of characters and there wasn’t even a DNS record associated to them, just an IP address and an internet connection. With just that the intelligence they provided on current attack campaigns and targeted services and applications would be invaluable to any security operation.  In a future article I plan to review the data as well as provide a tutorial on how to setup your own honeypots along with Splunk to easily visualize and analyze the data they provide.

Take Action

Time to use the threat intelligence your honeypots are providing to get the most use out of them.  Some use cases include using the source addresses to feed your blacklist or if you’re interested to find out how effective your current blacklist feed is against the latest known malicious IP addresses, it’s possible to compare the source IPs collected by the honeypots to the blacklist.  I mentioned earlier a honeypot deployed internally will help identify insider threats and compromised machines.  Another use case is to feed your SIEM with the honeypot data to provide context, yes I know another feed, however the security industry is taking notice and honeypots are more and more becoming part of a holistic security program.  Companies such as LogRythm are building into their products the functionality to automate and contextualize the use of the honeypot data to identify compromised credentials and protect against zero-day malware.

I’m a big advocate of honeypots as they are a valuable piece of any security puzzle providing intelligence at the network level.  Insight on other attack vectors such as phishing may be just as or more important to your organization and every security program should be customized and prioritized to fit its needs.