If you’re a target for either financially motivated cyber criminals, or nation state grade attackers, chances are your security team feels outgunned. Deception technology excels at detecting these attacks by shifting the cognitive, economic and time costs of the attack back onto the attacker. The principles of deception have been around for years, and recently, they’ve become the secret weapon of purple teams and threat hunters worldwide. Here’s the good new — You can start seeing the benefits of deception for free using open source honeypots that can be deployed immediately.
Deception is so crucial to detecting lateral movement, uncovering privilege escalation, and building threat intelligence, that any deception, even open-source honeypots are valuable. Whenever we’re on the road, we make it a point to give a shout-out to some of these tools, and will happily help you plan how you can use them. And we’ll do this for free, no strings attached. Just get in touch!
Caveat Emptor: You get what you pay for — Some of these tools may no longer be supported, and will require leg-work to setup and see results. However, they’re a great way to get familiar with deception. They’re also emulations, not real systems, so don’t expect high-interaction activity. While we’ll offer friendly advice around how you can use them, we don’t officially support them.
For more on planning effective deception, check out our strategy focused blog-posts:
Network services honeypots
- Cowrie – Cowrie is an SSH honeypot based off an earlier favourite called Kippo. It will emulate an interactive SSH server with customisable responses to commands. Another alternative is HonSHH which sits between a real SSH server and the attacker, MiTMing the connection and logging all SSH communications.
- Dionaea is a multi-protocol honeypot that covers everything from FTP to SIP (VoIP attacks). Where it really excels is for SMB decoys. It can even simulate malware payload execution using LibEmu to analyse multi-part stagers.
IOT (Internet of Things) honeypots
- Honeything emulates the TR-069 WAN management protocol, as well as a RomPager web-server, with vulnerabilities. Other IoT decoys can be created by emulating embedded telnet / FTP servers, for example with BusyBox.
- ConPot emulates a number of operational technology control systems infrastructure. These include protocols like MODBUS, DNP3 and BACNET. It comes with a web-server that can emulate a SCADA HMI as well.
- GasPot emulates a Veeder Root Gaurdian AST that is commonly used for monitoring in the oil and gas industry.
Database and NoSQL honeypots
- MongoDB-HoneyProxy emulates an insecure MongoDB database. Hackers regularly scan the interwebs looking for administrators who had an ‘oops moment’ and exposed their DB to the world.
- ElasticHoney emulates an ElasticSearch instance, and looks for attempted remote code execution.
Credential honeypots and honeytokens
- DCEPT by Dell SecureWorks places deceptive credentials in Microsoft’s Active Directory.
- Canarytokens by the great guys at Thinkst let you place different types of decoy data across your systems, waiting for an attacker to trigger them.
Honeyclients and malware analysis
- Cuckoo Sandbox is not really a honeypot, but it’s a great sandbox for malware analysis. You can safely and programmatically execute possible malware samples, including binaries, Microsoft Office documents and emails within a Cuckoo VM. You’ll receive a full report on what the code executed, what file / registry changes were made, and what network callbacks were observed. Pair it with VMCloak to automatically build sandbox VMs that are harder for malware to fingerprint.
- Honeydrive is a GNU/Linux distribution that comes pre-installed with a lot of active defence capabilities. Consider it the anti-Kali.
- MHN combines Snort, Kippo, Dionaea and Conpot, and wraps them for easy installation and use.
Setting up most of these open source honeypots in a lab should be a fairly simple weekend project for seasoned security professionals. You can then run red-team style attacks against them to understand what sort of telemetry you can expect. Finally, you can tweak the source to reduce how easily they can be fingerprinted (don’t forget to submit patches to the authors if you do).
The pragmatic security leader’s guide to deception technology
Using deception to shield the insurance sector
Finding active defense opportunities in a pentest report
- Detect zero-days, APTs, and insider threats
- 10x the detection capabilities with 1/2 the team
- Get started in minutes, fully functional in hours