Honeypots are the classic deception asset. The concept has been around for a while now; think of them as virtual traps designed to lure in hackers and cybercriminals. They mimic valuable systems or network resources, tempting attackers into revealing their tactics and techniques. By deploying honeypots strategically, we can gather valuable intelligence, detect threats early, and gain the upper hand in the ongoing battle against cybercrime. With Seedata.io, you can leverage the strength of honeypots to outsmart attackers and protect your valuable assets.
Why would you use honeypot seeds, and where?
Honeypots are a powerful tool in the cybersecurity arsenal, and at Seedata.io, we know exactly where and why to deploy them. Here are some key scenarios where honeypots prove invaluable:
Network Protection
By strategically placing honeypots throughout your network, you create attractive decoy targets for potential attackers. This not only diverts their attention from your critical assets but also allows you to monitor and analyse their activities, gaining valuable insights into their tactics, techniques, and motives.
Intrusion Detection
Honeypots act as early warning systems, alerting you to potential intrusions. By closely monitoring any interactions with these intentionally vulnerable systems, you can quickly detect unauthorised access attempts and potentially malicious activities. This enables you to respond swiftly and proactively, preventing further compromise.
Threat Intelligence
Honeypots are an excellent source of threat intelligence. They provide a controlled environment for studying attacker behaviour, collecting information on emerging threats, and identifying attack patterns. This intelligence can be used to strengthen your overall security posture, refine incident response strategies, and stay ahead of evolving threats.
Deception and Misdirection
Honeypots are ideal for deception and misdirection tactics. By creating enticing decoy assets, you can lure attackers away from your real systems, buying valuable time to identify and neutralise threats. Honeypots also help uncover previously unknown attack vectors and vulnerabilities, allowing you to patch them before they can be exploited.
Research and Analysis
Honeypots serve as valuable research tools for understanding the tactics and techniques used by adversaries. Security researchers and analysts can study the attacker’s behaviour, collect forensic evidence, and gain a deeper understanding of emerging threats. This knowledge can be shared with the broader security community, contributing to collective defence efforts.
By strategically deploying honeypots in your network, you bolster your overall security posture, gain real-time insights into threats, and enhance your ability to detect and respond effectively. At Seedata.io, we leverage honeypots as an integral part of our automated moving target defence platform, empowering organisations to stay one step ahead of cyber adversaries and protect their critical assets.
Deployment instructions
Requirements
Our honeypot seeds require a linux host provided by you. This host should have an outbound route to the internet.
These installation instructions have been tested on Ubuntu 22.04, Red Hat Enterprise Linux 8.x and 9.x.
Creating the seed
Honeypot seeds use the standard deployment process to create a seed and make it available for manual planting. Full instructions for this are available here.
There are some specific attributes for the honeypot seed type though. Primarily, we offer a number of different types of honeypot. Each option will configure your honeypot with an appropriate set of ports and MAC address responses to mimic your chosen device persona.
Our recommendation here is that you configure your deployment with your chosen device persona, a destination of “manual download”, a seed impact rating to suit your use-case, and notifications configured as per your preference. Importantly, set the deployment size to “1”, and use the deployment as a honeypot-on-demand deployment, clicking “Run” whenever you want a new honeypot.
Manually planting the seed
This is where it gets a little more technical. You are going to run a script on your linux host. This script will fetch our docker image, configure it, then call back to the seedata.io platform to confirm success. Hold on to your hat!
Assuming you have created a deployment, and run it, you will have a honeypot seed available for planting. You will see the seed in the details table below your intended deployment
Click the actions menu (three dots in a box) to the right of this row, then click Plant
This will open a new window, asking to provide a Planted Location and Description entry (free text choices, just to help you remember where and why you planted this seed), and then click Download (or cancel, if you’ve changed your mind)
A file with a .sh extension will now download. This is a ‘bash’ shell script, that you should run on the linux host that you want to plant the honeypot on. Depending how your workstation is configured, you may need to explicitly allow the download of this file (some systems assume all .sh files to be dangerous)
Specific instructions for how you complete this section will vary, depending on how you connect to your linux host, so please adapt the sequence below to suit your situation. (note: SEED-SLUG should be replaced with the name of your seed).
Make sure you are in root folder
cd ~Create a folder with the same of your seed and change directory into it
mkdir <SEED-SLUG>CD <SEED-SLUG>Create a new file called launcher.sh and paste in the contents of your clipboard
vi launcher.shPRESS “i” to enter INSERT mode
Paste the script into the new file
Press ESCAPE to leave INSERT mode
Write the new file and quit Vi
:wq!Change permissions on the new launcher.sh file to make it executable
chmod +x launcher.shRun launcher.sh
./launcher.shThe script will then run and you will be asked to select which secondary IP address should be assigned to the honeypot (help for how to configure new IP addresses are available here). The script will then perform a connectivity check, start to download the latest image from seedata.io and launch your new honeypot.
If you now return to the seedata.io platform and browse to the detailed view of your seed, you will see the IP address of your honeypot is added
Your honeypot is now active and listening for activity
Testing
Your honeypot can be tested in a number of ways:
You can perform the same activities a bad-actor might typically perform, and run a network scan against the IP address of honeypot. NMAP (or any similar network scan tool) will enumerate the open ports of the honeypot, causing an event to be recognised on the platform.