Honeypots are dead easy, and, if used appropriately, honeypots can be implemented on existing infrastructure (overlay honeypots). Attackers will trip over honeypots, which will slow attackers down, make for easier detection, and make for quicker detection. This five minute conference talk discusses some clever methods of implementing honeypots on existing infrastructure, which will give readers multiple response options to confuse, frustrate, and drive the attackers to tears!
This is a live transcription, so some thoughts and slides are missing; will update if the videos get released.
Good Truths
- Attackers expect “normal” and are usually an Adequate Persistent Threat (APT).
- Attackers are predictable in that they do recon, probing, exploitation, and post-exploitation
- Web architectures are easy to “honey”. Whether it’s classic N-tier architecture with presentation, application, and a data store, or if it’s a web services micro-architecture.
Honeypots to Confuse
Convolute the recon phase with the portspoof tool on Linux.
#run port spoof on port 443 with a set of signatures for various services,
sudo portspoof -p 443 -s /home/douglas/portspoof/tools/portspoof_signatures
#test by running nmap
nmap $ip -sV -T5 -p 443 -n
Honeypots Misdirect
Misdirect an attacker’s probe by altering the robots.txt file with honey entries. If an attacker sees the robots.txt file, they are going to data mine all of the resources noted within. By populating this file with honey entries AND having the associated resources present (e.g. uploader.jsp). When an attacker interacts with this functionality, the web account writes the files to the upload directory, and, simultaneously, a touch command is done on a file in the web root that makes it look like the web shell was uploaded. However, the attacker can’t do anything with this.
Honeypot Logging
Log interactions with the honeypot resources to understand what an attacker is attempting to do. Additionally, add information gathered from monitoring the honeypot to the security solutions present at one’s company (e.g. the IDS to monitor all connections from that IP to see if they have to other systems).
Honeypots Lie
Configure a Web Services Description Language (WSDL) file to have functions that are attractive to a user, such as “actionCSRImpersonateCustomer” with an attractive documentation attribute like “Allow phone rep (CSR) to become any user. Internal use only”. When things like this are setup, the speaker observed threat actors trying to interact with the API endpoint, which allows for monitoring more closely. Another idea is “CBCStreamAuthenticator” with “Crypto stream generator.” for companies involved with cryptocurrencies. Who is interacting with this endpoint and what are the failed logins?
Honeypots Buy Time
Honeypot data can be created by adding a table in a database, such as DESCRIBE CC_Info. Populate the data in this table and expect that only the maintenance service accounts and backup service accounts are going to be accessing this table. From here, query logging on this table to reveal potential SQL injection and other web app attack attempts, knowing that no native web application functionality should be querying these tables. Another idea is DESCRIBE Potential_Explore_Sites; with a valid schema such as Site_ID, LAT, LONG, Purch_Max, and Purch_Date for clients that may be involved in identifying natural resources around the globe. The key is that the honey data is related to the organization and something that an attacker would be interested in going after.
Honeypots
It is common to use the Internet Wayback Machine and Google Cache to begin enumeration. Michael Hogue Rinnie came up with the idea to poison your own websites with fake pictures, CSS, XML Schemas, and JavaScript so that the website generates a 404 when the Wayback Machine / Google Cache attempts to load the resource. An organization monitoring for hits on these fake endpoints would be made aware of an attacker’s initial recon gathering steps.
Honeypots Hurt
Make sure to get approval from legal, and then upload a zipbomb to a directory located in the robots.txt in the form of a document since they are zip archives. For finance clients putting Disallow: /quarterlyreports/ and Disallow: /nextquarterreportsdraft/ and put the zip bomb within.
Honeypot PDF
No one knows what a valid PDF is, so we can make a valid msfvenom payload and put it in a PDF. We can grab the IP address and their location legally due to case law. Another WSDL idea is “QuoteGeneratorPDF” with a description of “Generate Quote PDF. If no quote ID is given, send all PDFs associated with current user.” When a threat actor is enticed to interact with these API endpoints after analyzing the WSDL, the owners of the application would know a threat actor is performing an active attack since their aren’t any “normal user” interaction points with these honeypot API endpoints.
Recap
Honeypots are dead easy, overlay honeypots are best, and the advantages of honeypots include: slowing down attackers, making detection easier, and making for quicker detection. This looks and feels like the real-deal because we’re configuring the real thing with an “overlay” honeypot.
Conventional Wisdom Isn’t Wise
If one has to do all the things before one does “active defense”, then the active defense will never be done.
Questions & Answers
How do we prevent blocking real customers?
- Implement QoS as threat actors interact with honeypots so that the performance is degraded for the threat actor.
- Killing a NAT IP for an education facility when it's just one attacker on their network could be risky. Thoroughly consider the implications of the controls being put in place.
- This is a bankrupt idea; attackers will attack, just like they did the faux airfields in Britain during WW2.
- Don't give real usernames and passwords, but do give them an account that looks legit and a password that looks legit but isn't.
- Seeing more reliance around living-off-the-land attacks and not necessarily uploaded web shells.
- One of his favorite things to trigger for is the X-Forwarded-For header in HTTP requests that implies traffic is being MITM-ed. Redirect the traffic to another web server.
- If the pentester or consultant is burning cycles, let the pen tester know so they are testing what they should be testing, and not a honeypot.