A strong detection and response capability is required for the success of security program because prevention eventually fails and a motivated attacker can always find a way in. However, economics are not in favor of network security monitoring (NSM). Due to the hardware, software, and labor required it's expensive to deploy an NSM capability and hire qualified analysts to maintain and investigate the high volume of alerts, especially at scale. In this presentation I'll discuss how honeypots are re-emerging as a practical solution for driving down the cost of network security monitoring. These aren't your traditional honeypots meant to sit outside the firewall to research automated malware. These are focused, use case specific honeypots that are designed to provide detection with a favorable signal to noise ratio. By integrating honeypots into your NSM strategy and taking a targeted approach, a grid of honeypots can realistically become your most cost effective detection tool. I'll make the case for honeypots like these and discuss implementation strategies that I've seen work. You should come away from this presentation with a unique perspective on honeypots and an actionable plan you can use to start evaluating and deploying tactical honeypots in your network.

2. CHRIS SANDERS
Twitter: @chrissanders88 | Mail: chris@chrissanders.org
Researcher | Author | SANS GSE #64 | BBQ Pitmaster

3. Agenda
 What is the history of honeypots?
 Why aren’t honeypots used more?
 How can I use honeypots for detection?
 What are common misconceptions about
honeypots?
 What honeypots can I deploy?

5. Meet Cliff Stoll!

6. Monitoring the Attack

7. The Honeypot (1986)

8. The Cuckoo’s Egg
http://chrissanders.org/cuckoosegg

9. Meet Bill Cheswick!

10. The Honeypot (1991)

11. An Evening with Berferd (1991)

12. The Honeynet Project (1999)

13. Honeypot Timeline – Formative
Years
1986
•Cliff Stoll
Creates the
SDINET
Honeypot
1989
•The
Cuckoo's
Egg
Published
1992
•An
Evening
with
Berferd
1997
•Deception
Toolkit
Released
1998
•Cyberco
p Sting
Release
d
1999
• Honeynet
Project
Begins
2003
• Honeyd
Released
2003
• Honeypots
(Sptizner)
Published
2008
• Honeynet
Project
• Monitors
MS08-067

14. Disappearance of Production
Honeypots
 Reasons:
 Most publications focused on research
 Lack of great tooling
 A lot of baggage with the term
 Slow Re-emergence:
 2013: Applied NSM, Chris Sanders
 2015: Bring Back the Honeypots, Haroon Meer
 2016+: Multiple deception vendors enter the
space
Production Research

16. What is a honeypot?
A honeypot is
a security
resource
whose only
value lies in
being probed
or attacked.
Deceptive
Discoverab
le
MonitoredInteractive

17. Research Honeypots
 Deceptive: Designed
to appear vulnerable
to exploitation
 Discoverable:
Placed outside the
firewall on the public
internet
 Interactive: Provide
high interaction
 Monitored: Logged
for later review

18. Detection Honeypots
Nobody
should
ever talk
to a
honeypot
 Deceptive: Appear
valuable by
representing org
resources.
 Discoverable:
Placed inside the
network
 Interactive: Provide
minimal interaction
 Monitored:
Configured to
log/alert when
touched

21. Home Field Advantage
You want the attacker to SEE systems, services, or data
that are actually honeypots.
You want the attacker to THINK the honeypots are
valuable.
You want the attacker to DO something that causes an
interaction with the honeypot.
What is valuable on your network?
Attacker
Foothold
Valuable DataCompromise Path

22. SoupCorp Distribution Data
 Windows Workstations
 Database Server
 Contains Customer
Information
 Managed via SSH
 Web App Server
 Queries Data from DB
Server
 Managed via SSH

23. SSH Honeypot
See:
 A system advertising
open port 22.
Think:
 It’s valuable because
it is surrounded by
other valuable servers
Do:
 Scan, connect to, or
authenticate to the
SSH service
The Attacker

24. SSH Honeypot
 Deceptive: A service
mimicking SSH
access to a
production system
 Discoverable:
Responds to network
requests
 Interactive:
Responds to
authentication
requests
 Monitored:
Generates alerts on
The Honeypot

25. SoupCorp Recipe Data
 File Server
 Employee data
 Secret soup recipes
 Workstations
 Mount network drives to file
server

26. File Server Honeytoken
 See:
 An excel file
 Think:
 It’s valuable
because it has an
enticing name and
is surrounded by
other valuable files
 Do:
 Open, copy, or
move the file
The Attacker

27. File Server Honeytoken
 Deceptive: An Excel
document containing
no production data.
 Discoverable: Placed
among other files on
a real network share.
 Interactive: Can be
opened like a normal
excel doc.
 Monitored:
Generates logs/alerts
on access, open, or
modification.
The Honeypot

28. See-Think-Do
 See:
 At what points on the network will the attacker
have visibility to sensitive assets?
 Think:
 What kind of honeypot can I deploy that will
appear valuable to the attacker?
 Do:
 How can the attacker interact with the honeypot in
a way that is enticing to them, and meaningful to
me?

30. AWS Credential Honeypot
1. Create AWS IAM
credentials with no
permissions.
2. Setup
CloudTrail/CloudWatch to
notify on key usage
3. Spread references to
credentials in meaningful
locations.
 Developer laptops
 Configuration files
 ~/.aws/credentials
https://blog.rapid7.com/2016/11/30/early-warning-detectors-using-aws-access-keys-honeytokens/

31. Tracking E-Mail Usage
1. Create a unique e-mail
account to register for a
service.
2. Monitor the inbound e-
mail to that account.
3. Setup a rule that
forwards the e-mail to a
centralized location if it is
not from an expected
sender.
https://money.cnn.com/2016/07/07/news/presidential-candidate-sell-donor-data/index.html
https://blog.erratasec.com/2015/09/i-gave-10-to-every-presidential.html

32. DHCP Rogue Device Honeypot
1. Assign static IP
addresses in
sensitive ranges.
2. Enable DHCP for the
range, but segment
network access for
dynamic
assignments.
3. Log DHCP
assignments and
alert on assignments
in this range.

33. Honey Tables / Records
1. Create an appealing
database table with
no production value
2. Log database
queries
3. Monitor queries
containing
references to the
honeytable and alert
on access.
1. Create a
user/password
database table
2. Populate the table
with fake
credentials.
3. Monitor
authentication logs
for attempts to use
the fake credentials.
Access-Based Strategy Token-Based Strategy

36. Your First Honeypot
1. Browse to
https://canarytokens.or
g
2. Create a word
document honeytoken
3. Scatter it amongst
locations containing
valuable documents.
4. Wait.

37. Recommended Honeypot
Software
Honeypots
OpenCanary
Tom’s Honeypot
Cowrie (SSH)
RDPY (RDP)
CanaryTokens.org
Management
Ansible
Docker
Chef
Alerting
Windows Logs
Suricata
Bro
SIEM
ELK

38. References
 https://www.amazon.com/Cuckoos-Egg-Tracking-Computer-
Espionage/dp/1416507787
 http://chrissanders.org/cuckoosegg
 http://www.cheswick.com/ches/bio.html
 http://www.cheswick.com/ches/papers/berferd.pdf
 https://www.honeynet.org/about
 https://money.cnn.com/2016/07/07/news/presidential-
candidate-sell-donor-data/index.html
 https://blog.erratasec.com/2015/09/i-gave-10-to-every-
presidential.html
 https://blog.rapid7.com/2016/11/30/early-warning-detectors-
using-aws-access-keys-honeytokens/

39. Thank You!
Mail: chris@chrissanders.org
Twitter: @chrissanders88
Blog: chrissanders.org
Training: http://chrissanders.org/training
Slides: http://slideshare.com/chrissanders88