Chapter 7 - 05 - Understand Different Types of Honeypots_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Module Flow

Discuss Essential Network Understand Different Types of
@
Security Protocols Proxy Servers and their Benefits

Discuss Fundamentals of VPN
Discuss Security Benefits
and its importance in Network
0

(4
(AN
of Network Segmentation
Security

&
Understand Different Types Discuss Other Network Security
0

of Firewalls and their Role Controls

Understand Different Types Discuss Importance of Load
0

of IDS/IPS and their Role Balancing in Network Security

Understand Different Types Understand Various
©

of Honeypots Antivirus/Anti-malware Software

Understand Different Types of Honeypots
Honeypots allow security professionals to defend against attacks that even a firewall cannot
prevent. Honeypots provide increased visibility and an additional layer of security against both
internal and external attacks. This section provides an understanding of different types of
honeypots and honeypot tools.

Module 07 Page 868 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Honeypot
A honeypot is an information system resource that is expressly who
attempt to penetrate an i
izati

It has no authorized activity, does not have any production value, and any traffic to it is likely to be a
,, or
or

A honeypot can attempts or monitor an. These could be early warnings
of aa@ more concerted attack
of

DMZ
DMZ Honeypot
Honeypot

Internal.................,'.,.?..............' @
O )},)
Network

Firewall Packet Filter Internet Attacker
D
D Packet Filter Internet Attacker

Web Server

Copyright © by L. All Rights Reserved. Reproduction
Rights Reserved. Reproduction is Strictly Prohibited.
Prohibited

Honeypot
A honeypot is a computer system on the Internet intended to attract and trap those who
attempt unauthorized or illicit utilization of the host system to penetrate an organization’s
network. It is a fake proxy run to frame attackers by logging traffic through it and then sending
complaints to the victims’ ISPs. It has no authorized activity or production value, and any traffic
to it is likely a probe, attack, or compromise. Whenever there is any interaction with a
honeypot, it is most likely to be malicious. Honeypots are unique; they do not solve a specific
problem. Instead, they are a highly flexible tools with many different security applications.
Honeypots help in preventing attacks, detecting attacks, and information gathering and
research. A honeypot can log port access attempts or monitor an attacker's keystrokes; these
could be early warnings of a more concerted attack. It requires a considerable amount of effort
to maintain a honeypot.
Honeypot
DMZ
DMz

ntenal [fl i?: (@}
ek D "
Internal < a. }......
Network \@

Firewall
Firewall Packet Filter
Internet Attacker

Web Server

Figure 7.84: Example of Honeypot

Module 07 Page 869 Certified Cybersecurity Technician Copyright © by EC-Council
EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Types of Honeypots
Classification of Honeypots based on their design criteria

Low-interaction
Low-interaction HHoneypots
Honeypott
ST ——— High-interaction Honeypots
QO These honeypots simulate
O These honeypots simulate Q
e Q These honeypots simulate all
only a limited number of e.A N.
i: e
Wil services and applications of a
services and applications of
target network
a target system or network

Medium-interaction Honeypots
2. o Pure Honeypots
QO These honeypots simulate a -.- @ O These honeypots emulate
& @ Q These honeypots emulate
real operating system, o
rosl.ooporating
read system,
pe'ratlng svstem‘, the real production network
applications, and services of off § tariek crmmiiizibion
of a target
[ organization
organizatio
[ n
a target network

Copyright ©© byby EEC-€
Copyright All Rights
I All Rights Reserved.
Reserved. Reproduction
Reproduction isis Strictly Prohibited.
Prohibited.
Prohibited

Types of Honeypots (Cont’d)
Classification of honeypots based on their deployment strategy

A

Production Honeypots Research Honeypots
O Are deployed inside the production network of the
QQO QQO Are high-interaction honeypots primarily
organization along with other production servers deployed by research institutes, governments, or
military organizations to gain detailed knowledge
QQO As they are deployed internally, they also help to find rr:)lhtatr:lhorga:lzatlo?? tto
n:)llltatr\t/horgazlzatlo? ttc: g;nn
g:u: Qerabed
REed knwiadge
Momg
about the actions of intruder
out internal flaws and attackers within an organization SIS
MBI ST AERS IESIES
IESSCHES OU5 MUit SSE

> >
Copyright ©© by
Copyright by EC:
E All Rights
Al Rights Reserved.
Reserved. Reproduction
Reproduction isis Strictly
Strictly Prohibited.
Prohibited
Prohibited.

Module 07 Page 870 EG-Council
Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Classification of honeypots based on their deception technology

©)
Malware Honeypots
e
Database Honeypots
O
Spam Honeypots
QO Are used to trap malware Q Employ fake databases that are Q Specifically target spammers who
campaigns or malware attempts vulnerable to perform database- abuse vulnerable resources such as
over the network infrastructure related attacks such as SQL injection open mail relays and open proxies
and database enumeration

@
Email Honeypots
©
Spider Honeypots
@
Honeynets
Q Fake email addresses that are Q Specifically designed to trap O Networks of honeypots which are
specifically used to attract fake and web crawlers and spiders very effective in determining the
malicious emails from adversaries entire capabilities of the adversaries
Copyright © by All Rights Reserved. Reproduction Is Strictly Prohibited.

Types of Honeypots
Honeypots are classified into the following types based on their design criteria:
®= Low-interaction Honeypots

Low-interaction honeypots emulate only a limited number of services and applications
of a target system or network. If the attacker does something that the emulation does
not expect, the honeypot will simply generate an error. They capture limited amounts of
information, i.e., mainly transactional data, and some limited interactions. These
honeypots cannot be compromised completely. They are set to collect higher-level
information about attack vectors such as network probes and worm activities. Some
examples are KFSensor, and Honeytrap.
= Medium-interaction Honeypots
Medium-interaction honeypots simulate a real OS as well as applications and services of
a target network. They provide greater misconception of an OS than low-interaction
honeypots. Therefore, it is possible to log and analyze more complex attacks. These
honeypots capture more useful data than low-interaction honeypots. They can only
respond to preconfigured commands; therefore, the risk of intrusion increases. The
main disadvantage of medium-interaction honeypots is that the attacker can quickly
discover that the system behavior is abnormal. Some examples of medium-interaction
honeypots include HoneyPy, Kojoney2, and Cowrie.
= High-Interaction Honeypots
Unlike their low- and medium-interaction counterparts, high-interaction honeypots do
not emulate anything; they run actual vulnerable services or software on production
systems with real OS and applications. These honeypots simulate all services and

Module 07 Page 871 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

applications of a target network. They can be completely compromised by attackers to
gain full access to the system in a controlled area. They capture complete information
about an attack vector such as attack techniques, tools, and intent. The honeypotized
system is more prone to infection, as attack attempts can be carried out on real
production systems.
A honeynet is a prime example of a high-interaction honeypot. It is neither a product
nor a software solution that a user installs. Instead, it is an architecture—an entire
network of computers designed to attack. The idea is to have an architecture that
creates a highly controlled network with real computers running real applications, in
which all activities are monitored and logged.
“Bad guys” find, attack, and break into these systems through their own initiative. When
they do, they do not realize that they are in a honeynet. Without the knowledge of the
attackers, all their activities and actions, from encrypted SSH sessions to email and file
uploads, are captured by inserting kernel modules into their systems.
At the same time, the honeynet controls the attacker's activity. Honeynets do this by
using a honeywall gateway, which allows inbound traffic to the victim’s systems but
controls the outbound traffic using intrusion prevention technologies. This gives the
attacker the flexibility to interact with the victim’s systems but prevents the attacker
from harming other non-honeynet computers.

Pure Honeypots

Pure honeypots emulate the real production network of a target organization. They
cause attackers to devote their time and resources toward attacking the critical
production system of the company. Attackers uncover and discover the vulnerabilities
and trigger alerts that help network administrators to provide early warnings of attacks
and hence reduce the risk of an intrusion.
Honeypots are classified into the following types based on their deployment strategy:
Production Honeypots
Production honeypots are deployed inside the production network of the organization
along with other production servers. Although such honeypots improve the overall state
of security of the organization, they effectively capture only a limited amount of
information related to the adversaries. Such honeypots fall under the low-interaction
honeypot category and are extensively employed by large organizations and
corporations. As production honeypots are deployed internally, they also help to find
out internal flaws and attackers within an organization.
Research Honeypots

Research honeypots are high-interaction honeypots primarily deployed by research
institutes, governments, or military organizations to gain detailed knowledge about the
actions of intruders. By using such honeypots, security analysts can obtain in-depth
information about how an attack is performed, vulnerabilities are exploited, and attack
techniques and methods are used by the attackers. This analysis, in turn, can help an

Module 07 Page 872 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

organization to improve attack prevention, detection, and security mechanisms and
develop a more secure network infrastructure.
The main drawback of research honeypots is that they do not contribute to the direct
security of the company. If a company is looking to improve its production
infrastructure, it should opt for production honeypots.
Honeypots are classified into the following types based on their deception technology:
Malware Honeypots

Malware honeypots are used to trap malware campaigns or malware attempts over the
network infrastructure. These honeypots are simulated with known vulnerabilities such
as outdated APIs, vulnerable SMBv1 protocols, etc., and they also emulate different
Trojans, viruses, and backdoors that encourage adversaries to perform exploitation
activities. These honeypots lure the attacker or malware into performing attacks, from
which the attack pattern, malware signatures, and malware threat actors can be
identified effectively.
Database Honeypots
Database honeypots employ fake databases that are vulnerable to perform database-
related attacks such as SQL injection and database enumeration. These fake databases
trick the attackers by making them think that these databases contain crucial sensitive
information such as credit card details of all the customers and employee databases.
However, all the information present in the database is fake and simulated. Such
databases lure the attacker to perform attacks, with their vulnerabilities; from the
attacks, the attack pattern and the threat actor’s TTP’s towards database attacks can be
identified effectively.
Spam Honeypots

Spam honeypots specifically target spammers who abuse vulnerable resources such as
open mail relays and open proxies. Basically, spam honeypots consist of mail servers
that deliberately accept emails from any random source from the Internet. They provide
crucial information about spammers and their activities.
Email Honeypots

Email honeypots are also called email traps. They are nothing but fake email addresses
that are specifically used to attract fake and malicious emails from adversaries. These
fake email IDs will be distributed across the open Internet and dark web to lure threat
actors into performing various malicious activities to exploit the organization. By
constantly monitoring the incoming emails, the adversary’s deception techniques can be
identified by the administrators and internal employees can be warned to avoid falling
into such email traps.
Spider Honeypots

Spider honeypots are also called spider traps. These honeypots are specifically designed
to trap web crawlers and spiders. Many threat actors perform web crawling and

Module 07 Page 873 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

spidering to extract important information from web applications. Such crucial
information includes URLs, contact details, directory details, etc. Spider honeypots are
employed to trap such adversaries. A fake website will be emulated and presented as a
legitimate one. Threat actors attempting to perform web crawling on such traps will be
identified and blacklisted.
= Honeynets

Honeynets are networks of honeypots. They are very effective in determining the entire
capabilities of the adversaries. Honeynets are mostly deployed in an isolated virtual
environment along with a combination of vulnerable servers. The various TTPs
employed by different attackers to enumerate and exploit networks will be recorded,
and this information can be very effective in determining the complete capabilities of
the adversary.

Module 07 Page 874 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Honeypot Tools. Y- HoneyBOT is a medium interaction honeypot for windows. It is an easy-to-use
solution that is ideal for network security research

£ Packet Log (ftp)
Lt Packet Log (ftp)
Ly -
- o
[w]
(=] X
X KFSensor
KFSensor
http:,
http://www.keyfocus.net
nkeyfocus.net
Connection Details:
Connection Details: Packet History
Packet History R———
w//
/A I
-
D ate: 2/20/2020
Date: Time
Tme Direction
Diection | Bytes Dala
Data
Time: 1234 56 AM
Hikiecond 653
Hikicond 853 123456AM T a1 220 PUBLICO3 FTP Service (Version 5.0}
5.0 MongoDB-HoneyProxy
SourceIP.IP: 10101013
1010.10.13 123050AM - LTX
e 0 LiAN https://github.com
Source Poit
Port 45260
ServerIP.
Server IP. 10101016
gervm;o;IE gl (ftp)
1ctoc
1ctocs ,\
e
i Modern Honey Network
ytes Sent 41 "o
Byte: Reconved:
Bytes Reconed: 0
Reconed. https://github.com
https://github.com

>

Packet Data: ESPot
https://github.com
Viewas & lest
" hex
hex

| o» HoneyPy
https://github.com
https://s iesof!
icsof! ions.com

Copyright © by |. All Rights Reserved. Reproductionis Strictly Prohibited.

Honeypot Tools
Honeypots are security tools that allow the security community to monitor attackers’ tricks and
exploits by logging all their activity so that it can respond to such exploits quickly before the
attacker can misuse or compromise the system.
®= HoneyBOT

Source: https://www.atomicsoftwaresolutions.com

HoneyBOT is a medium interaction honeypot for windows. A honeypot creates a safe
environment to capture and interact with unsolicited traffic on a network. HoneyBOT is
an easy-to-use solution that is ideal for network security research or as part of an early-
warning IDS.

Module 07 Page 875 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

£¥ Packet Log (ftp)
LY — () X

Connection Details: Packet History
Date: 2/20/2020 Direction Data
SUN
AM
Time: 12:34:56 AM 12:34:56 AM A%1% I1] SYN
Miisecond: 853
Milisecond: 853
123056 AM
123456
12.3456 AMAM XTX 44141 220 PUBLICOB FTP Service [Version 5.0).
220 PUBLICO8 FTP Service (Version
[Version 5.0).
Time Zone: -8:00
Source IP: 10.10.10.13
Source IP: 10.10.10.13
123850AM
12:3850AM
123850AM XTX
X 0
0 FIN
FIN
Source Port: 45260
Server IP: 10.10.10.16
Server Port: 21 (ftp)
Protocol: TCP

Bytes Sent: 41
Bytes Received: 0

< >

Packet Data:
Viewasas
View (¢ text

" hex

)|
(|>>|
I

Figure 7.85: Screenshot of HoneyBOT

Some additional honeypot tools are listed below:
=» KFSensor (http.//www.keyfocus.net)
(http://www.keyfocus.net)
* MongoDB-HoneyProxy (https://github.com)
* Modern Honey Network (https://github.com)
(https.//github.com)
»= ESPot (https://github.com)
(https.//github.com)
* HoneyPy (https://github.com)
(https.//github.com)

Module 07 Page 876 Copyright © by EC-Council
Certified Cybersecurity Technician Copyright EG-Council