i The fundamentals of honeypots and honeynets – All things in moderation

The fundamentals of honeypots and honeynets

What is Honeypot ?

Honey Pot, it’s not a new technique or new word but if you are new in this post We’ll go through some quick defintions, setup a demo honeypot and other resouces if you want to go deeper on it.

Honeypot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system.
Honeypots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes.

Advantages of Honeypots:

  • Deter attacks: fewer intruders will invade a network that know is designed to monitor and capture their activity in detail
  • Divert attackers efforts: A intruder will spend energy on a system that causes no harm to production servers.
  • Educate: The properly desinged and configured Honeypot provides date on the methods used to attack systems.
  • Detect Insider atacks: Since most IDS systems have difficultly detecting insider attacks, Honeypts can provide valuable information on the patterns used by insiders.

Type of honeypot

Based on design criteria, honeypots can be classified as:

Pure honeypots
– Full-fledged production systems
– The activities of the attacker are monitored by using a casual tap
– No other software needs to be installed
High-interaction honeypots
– Imitate the activities of the production systems
– Be employing virtaul machines
– Provide more security by begin difficult to detect
– Example: honeynet
Low-interaction honeypots
– Simulate only the services frequently requested by attackers
– Example: Honeyd

Honeynets

  • High-interaction honeypot designed to capture in-depth information
  • Information has difference value to difference organizations
  • Its an architecture you populate with live systems, not a product or software

HoneyPy

  • HoneyPy is a low to medium interaction honeypot, written in Python, It is intended to be a honeypot that is easy to configure, deploy, and extend. You can find the project on GitHub here https://github.com/foospidy/HoneyPy

  • HoneyPy was built to be extensible so you can easily add new service emulations (plugins) for both TCP or UDP based protocols. However, it does come with a small set of basic plugins, listed here, that you can run or use as a starting point to write your own. In addition, configuring what plugins you want to enable is as simple as editing the services.cfg file.

  • Another greate feature is its event log handler integrations with other tools like Twitter, HoneyDB, Slack, Logstash, and Elasticsearch.

Now, deploy it. I’m a big fan of docker, in the first time I just want to run it and see it look like.
Here, I’ll start with docker.

sudo docker pull foospidy/honeypy # 2.09 GB  
sudo docker run -it foospidy/honeypy  
python Honey.py  

A first look of HoneyPy. Detail about how to install and using HoneyPy I’ll cover in a subsequent blog post.

Other good resouces

The Honeynet Project
Awesome Honeypots
Honeypots trackings hackers

References

https://en.wikipedia.org/wiki/Honeypot_(computing)
https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9
https://www.sans.org/reading-room/whitepapers/attacking/honey-pots-honey-nets-security-deception-41
https://medium.com/@foospidy/you-have-to-haas-it-47955c7c33a9
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-spitzner.pdf

Leave a Reply