3

We've been hacked for the 2nd time without knowing how/who did it. Luckily we were able to shutdown everything!

We're trying to deploy Honeypot to be in control of what is going on from our local and global connections. but I've few concerns.

  1. How could the honeypot be risk when its virtual system ?
  2. How it can be used to attack other systems ?
  3. How can deploy such system without affect critical network services or risk them ?

Any security expertise please!

Maarten Bodewes
  • 4,743
  • 17
  • 29
user93097373
  • 63
  • 1
  • 6
  • 11
    "We've been hacked for the 2nd time without knowing how/who did it." : Just a thought, my first preoccupation in such circumstance would be to install better monitoring and detection software in order to prevent any future hack, not an honeypot in order to encourage even more ones... – WhiteWinterWolf Apr 26 '15 at 12:36
  • 1
    Your title does not reflect your question. Do you want to know how valuable they can be or do you want to know about the risks involved with having one? – schroeder Apr 26 '15 at 18:01
  • I guess I'd recommend not setting up a honeypot on your own. They're complicated and not really the first line of defense. If you really need one, bring in a consultant. That said, I'd go with more basic protections first. @GZBK has the right idea. – Neil Smithline Apr 26 '15 at 19:35
  • 2
    @NeilSmithline I'm not sure why you say they are complicated. There are many different types of honeypots and some are very easy to set up. – schroeder Apr 27 '15 at 00:15
  • @schroeder It seemed to me that as they were already being hacked without being able to identify the problem that adding a honeypot and gaining useful information out of it would be equally difficult. I'd be interested if you have a pointer to easy-to-install and evaluate honeypots – Neil Smithline Apr 27 '15 at 17:08
  • @NeilSmithline The easiest honeypot is simply a bare OS with monitoring on its services. Any attempt to scan, login, or any running services is an instant security incident. Keep it in a VM and revert any changes on a nightly basis, and you prevent persistence of threats. The same can be done with 'honeyusers', etc. – schroeder Apr 27 '15 at 17:24
  • The complexity of the Honeypots would be in its configurations with only Research types or any High-interactive honeypots. I'd install and configure low-level in less than an hour with its configs and implementation. – amrx Apr 28 '15 at 23:23
  • I usually don't recommend honeypots unless you know what you are doing. Its better to have a port closed than risking your network if the honeypot has a real vulnerability. – lepe Apr 27 '16 at 00:52
  • 2
    Always when I read "We've been hacked...", my first question is: How do you know you have been hacked? Sometimes what it seems like a "hacked" system may be just infected by some malware, etc. Can you describe what you mean by "hacked" please? – lepe Apr 27 '16 at 00:54
  • a very simple honeypot: Artillery.

    its quite featurerich and very easy to install and maintain - you will have an alerts.log file which gives you the most basic informations on where someone coulve attacked you: IP, Port, Time..

     – Gewure Aug 29 '16 at 11:41

2 Answers2

6

A Honeypot will not control connections, so if that is what you want then you are not looking at the right technology.

Honeypots emulate real systems, so unless you actively prevent it, it will be able to attack other systems, exactly as if it was a real system.

This site has other questions in setting up honeypots, so just have a read of them.

700 Software
  • 13,997
  • 3
  • 55
  • 82
Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
3

To answer your question on security of honeypots a little further:

I'm currently writing my theses on honeypots - security-risks of honeypot systems are a big issue. A honeypot should never be run in reach of a production system. Set up in its own VM, cut all outgoing traffic via a firewall. Most open source low interaction honeypot systems, like Artillery, are considered secure. But as is with every software, there is no such thing as a guarantee for being bug free.

High interaction honeypots tend to be more vulnerable than low interaction systems, which is e.g. why Cowrie states in its FAQ on the Question "Is Cowrie secure?" a 'maybe'. Unless you know exactly what you are doing, I would really recommend not to run something like cowrie on a production system. Artillery can be used, though, I think. It is not the best practice, of course.

www.nestle.de is a good example for a low-interaction honeypot. Portscan it, you will see a service jungle like never before.

If you have any questions, feel free to ask. I'm happy to have more practical problems as input on for my thesis!

schroeder
  • 129,372
  • 55
  • 299
  • 340
Gewure
  • 324
  • 1
  • 11