Should I be maintaining a honeypot for my org?

Started by Dieselboy, September 17, 2015, 08:19:02 PM

Previous topic - Next topic

Dieselboy

Long story short, a security firm sales guy has contacted my manager. Now he wants to deploy this security solution and set up a honey pot. IMO, I'd rather not spend time maintaining something like this, I'd rather ensure security was maintained and monitored. I can see a honeypot may be used as an early warning. Is setting up honeypots the way to go these days?

Reggle

Haven't seen it in production yet. But it can be as simple as setting up routes for private ranges (RFC 1918) towards a server with tcpdump/Wireshark to see any incoming packets to private ranges not in use on your network. You shouldn't see anything... Except scanning software.
Maintenance is what you make of it I think. You can create an entire fake environment, but the above example seems simple enough for me.

icecream-guy

#2
Is there any indication that you NEED a honeypot?  have there been any infiltration into the network, suspicious emails, malware, virus, or other things that might warrant deeper investigation as to what is trying to access your network?   Just cause someone says you need a honeypot doesn't necessarily make it so.  A good pen test package from a reputable security company may be a better way to spend money. 

I'd hazard a guess, you'd need to spend at least an hour or two every day to parse through the honeypot events logs.  Possibly more if something gets hacked. Do you have those investigative skills to determine how the service got hacked and what actions were performed during the infiltration? Do you have the resources and knowledge to understand if the attack is a common one or if it's a zero day?  do you know what to do if you come across a zero-day attack? I don't know, just asking cause these are scenarios you may run into.


BTW, what does this "sales guy" propose for putting services into the honeypot?  will there be some way to "reset" the environment and bring everything back to a default state to continue monitoring, what about the compromised service/servers.
as you'll need to somehow freeze and save the environment for investigation, or will you have to pull the honeypot offline and perform investigation, and then reset the honeypot  possibly being down for several hours, (and what happens when an operations outage happens while you are investigating?  last question is  if a server is hacked, do you let it run?   sometimes hackers will infiltrate and come back several days later to perform recon. if you reset the honeypot too quick the hacker will know that it's a honeypot and go away,  also you might be interested in what those further steps are during the hack, so you might want to leave the honeypot as is after a hack and see what further recon the hacker takes.   really you need to define all this in some sort of framework and policy so your the actions you need to take are clearly spelled out, as well as  all this honeypot management tasks and the affects of it on the rest of your duties.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Priorities:

1. PERIMETER - not the be all end all, but you still gotta have one. Bulk traffic filter router up front to drop stuff you know you don't want to deal with, firewall, IPS, then the DMZ, internal firewall, internal IPS.

2. Now that you have all that cool stuff, get Netflow running on your internal network.

3. Get a secure DNS solution in place.

4. Consider other security measures.

The Netflow, in particular, can tell you almost the same info as the honeypot will.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

What benefit is the honeypot supposed to provide you? Without knowing your organization I would guess you would get better, and cheaper results by subscribing to one of the cyber intel companies feeds. They run honeypots, and other sensors, and have the expertise that ristau mentioned to understand what they are seeing. Then give their customers reports on what is happening. This is a better fit for almost 99% of the companies out there.

Can you tell us what vendor is saying you need a honeypot? Is it some kind of package they deploy, or is it a custom build type thing that is being proposed?

-Otanx

wintermute000

sounds legit.

but seriously, for example Palo have a feature called DNS Sinkholing where DNS traffic to malicious domains is re-written to a honeypot (which could just be a PC with wireshark). This is useful because normally the FW would see the malicious DNS request coming from your internal DNS server, then you'd have to do hilariously painful log matching to reverse engineer the original host that sent the query. This is an example of a 'honeypot' type of deployment that is actually useful.

So, as the great Ivan Pep says, 'it depends' lol.

Reggle

Quote from: deanwebb on September 18, 2015, 09:43:27 AM3. Get a secure DNS solution in place.
Can you elaborate on that one? You mean DNSsec, DNScrypt, ...?

deanwebb

Quote from: Reggle on September 19, 2015, 07:06:24 AM
Quote from: deanwebb on September 18, 2015, 09:43:27 AM3. Get a secure DNS solution in place.
Can you elaborate on that one? You mean DNSsec, DNScrypt, ...?
I was thinking of Infoblox, actually.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#8
we flog a lot of infoblox at my consultancy, they're pushing for me to get trained up (runs away screaming)

deanwebb

Quote from: wintermute000 on September 19, 2015, 09:38:50 PM
we flog a lot of infoblox at my consultancy, they're pushing for me to get trained up (runs away screaming)
You knew the job was dangerous when you took it. :)
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Thanks for everyones input on this one!
I've been working on getting sourcefire / firepower on our ASAs anyway.

Your responses here have given me reassurance on my reply to my manager :). In short, no I don't think we need to spend resources on this type of exercise. We will have the ASAs running netflow / firepower which will give us this insight. We have not had any security issues or concerns (that I'm aware of). I barely have time to complete the tasks I'm assigned let alone spending an hour a day maintaining an environment to attract attacks for no warranted reason. :)

Dieselboy

http://www.ancoz.com.au/decoynet-security/

Here's the link to the company website. I don't like this whole idea of luring attackers. Firewalls get enough of that already.