Blog: Honeypots

Create a honeynet, dupe your attackers, build threat intelligence

Ken Munro 24 Mar 2014

I read Cliff Stoll’s book The Cuckoo’s Egg about his use of honeypots to trap an East German hacker in the 80’s a while back. A fascinating read, I read it in one long sitting, I thoroughly recommend it.

Towards the end of the book, he sets up fake user profiles, fake materials and much more, in an attempt to entice offline communications too. Finally, it worked, with a letter arriving at his department addressed to a fake secretary working in an imaginary department.

We can learn a lot from this, creating a source of your own threat intelligence at the same time.

The majority of targeted attacks start with a spear phish. A varying quality of research & profiling is employed by the attacker to find suitable candidates within your organisation to target.

Facebook, Google, LinkedIn and other media are trawled, maybe a little social engineering is employed.

An email arrives, maybe containing a link or an attachment. The user does as the attacker is hoping, the killchain starts and a back door is established.

Now, what if that email account was a fake on your domain that you set up solely for the purpose of monitoring attackers? Now, instead of being compromised, you’ve captured a malware sample and can immediately start looking for other instances of similar content sent to others in your business. Your incident detection and response improves enormously.

Check for any similar patterns on your mail logs. If you have the skills, you could reverse engineer the malware, find out where the connection back goes to. Then get the sample and destination IP address on to VirusTotal or similar quickly and you might just save someone else from being compromised too.

You could do it the hard way, manually seeding social networks with regularly updated profiles. How about a fake PA to the directors and a few other juicy profiles around the business? Staff with access to other resources, possibly with raised privilege, but maybe not suspicious or aware of attacks.

Think about content that would be attractive to the attacker. What do you do? What intellectual property do you have? What about unreleased business performance data? Customer databases? Credit card data? Make those fake roles relevant to the content.

In my experience, new starters are perfect cannon fodder for a spear phish – they aren’t familiar with internal processes, probably haven’t had security inductions yet and feel nervous about speaking up or getting fired in the event of doing something silly on their desktop. So, make some of those profiles look like new starters!

Prepare a honeynet in your business. See what you catch.