What is Honeypot and how it lures cyberattack

Introduction

How serious of a problem is cybercrime? (Dan, 2020) reported a study by Cybersecurity ventures predicts these crimes will cost the world $6 trillion a year by 2021. (Rohit, 2020) stated over 90000 websites are hacked every day. WordPress is the most hacked CMS with 83% of hacked websites using WordPress platform. In most cases, hackers are looking for low-fruits- essentially, cyber assets with the highest value and weakest security. During the last two decades, many techniques have been deployed to detect malicious activities and preventing legitimate systems like Firewall, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) and Honeypots. However, it is possible for an attacker to bypass firewall if it is not properly configured. The Signature based IDS unable to detect zero-day attacks. A honeypot provides increased visibility and allows IT security teams to defend against attacks that the firewall fails to prevent.

Definition

The first time the concept of honeypot was described in a book titled The Cuckoo’s Egg published in 1989. (Roland,2019) states one of the first formal definitions of a honeypot was given by Lance Spitzner (2002): A honeypot is very different from most traditional security mechanisms. It is a security resource whose value lies in being probed, attacked, or compromised.

A honeypot is additional security protection that can be used alongside a firewall and other security solutions to help protect a network from hackers. (Ben, 2019) states that honeypots are typically virtual machines, intended to imitate machines by faking the appearance of services and applications. Open ports exist like a typical system or server on a network. (Kukoba, 2018) states that a common honeypot consists of two components: a vulnerability emulation system and a monitoring tool. The first is used to make the attacker think that there is a weak spot in the system that they can compromise. The monitoring system, in turn, notifies the system administrator once attackers try to exploit the vulnerability that has been left exposed. (Usha et.al, 2018) described a comparison of the IDS systems to that of honeypot integrated with the IDS system. They made use of both multicast and unicast IP addresses for the effective analysis of the system. The result of the analysis showed that the percentage of intrusion detection with the help of the honeypot system is more than that detected by the intrusion detection system alone.

Developing honeypots:

Creating the vulnerability emulation system is one of the biggest challenges in honeypot development. (Kukoba, 2018) stated that the level of operating system interactions being the main source of problems. Since the malware action cannot be predicted once activated, the administrator cannot create a fully secure sandbox. So even when placed in a honeypot and the malware is not given any freedom with the real system, it may leave the honeypot without initiating any suspicious actions and remains undetected. At the same time, the system administrator should be careful about the access level to the malware and prevent the system from irreparable damage.

(Roland, 2019) stated to collect information about the behavior of attackers, they need to be lured to the honeypot. He further states that a method for luring attackers is by spreading fake RDP credentials, email credentials, cloud-environment credentials, SSH credentials and FTP credentials. Different strategies are used to generate these fake credentials.

Roland (2019) further stated that honeypots without having a lot of historic data and limited resources can easily be detected. These issues have been solved by creating a story around the honeypot which is reflected around any aspects of the honeypot. The content of the honeypot has also been carefully chosen, to look like the content which the attacker would normally find in the production server. Softwares like Splunk Forwarder is used to monitor honeypots. The objective of the Splunk alert is to checks the RDP session and detects if the attacker stops the monitoring system of honeypot.

Classification of honeypots

Honeypots are classified by the ability of the attacker to interact with the application or services. (Kukoba, 2018) classified Honeypots into two categories which are

Low interaction honeypots

Low interacting honeypots emulate vulnerabilities rather than presenting real ones, therefore restricting the attacker’s ability to interact with it. They are mainly used as decoys. For example: The administrator can emulate a small script that will emulate an open port on the system and some basic replies, then use it to deceive the vulnerability scanners (used by hacker) instead of installing a whole web server. Low interaction honeypots are easy to detect. (Roland, 2019) stated that static honeypots are more likely to be detected by the attacker as the same setup is used for all the honeypots and it does not change after redeployment. Low interaction honeypots are also easier to deploy because there is no need to update the configuration or behavior of the honeypot. (Hasan, 2018) described some low interaction honeypot versions:

RDPY – Remote Desktop Protocol Python that mimics the Microsoft Remote Desktop Protocol (RDP). This honeypot is mainly used for the purpose of capturing connection and username/password attempts.

Glastopf – This web application honeypot is capable of emulating thousands of web-based vulnerabilities. Its primary objective is to reply back to attackers with what they are expecting from an exploit attempt.

Dionaea – This honeypot supports several protocols such as HTTP, MySQL, smb, TFTP and more. Moreover, its primary objective to capture attack payloads and malware.

Kippo – SSH-based medium interaction honeypot designed to log a wide range of attacker activities to include brute force login and full shell interaction. Some of its main features include a fake file system with the ability to add/remove files and trickery in pretending to execute binaries, commands, and more. An updated branch of Kippo named Cowrie came when it was found that Kippo did not log complete details of some SSH attacks. It came with some additional capabilities such as proxy support, SFTP and SCP.

High interaction honeypots

In contrast to low-interaction honeypots, high-interaction honeypots allow hackers to continue freely with up to a point. The best thing is that high-interaction honeypots make it impossible for hackers to tell if it is a real or virtual environment that was specifically crafted to deflect the attack. (Kukoba, 2018) states that high-interaction honeypots can redirect the attacker to some virtual machine or a sandbox or use dedicated machines to make the environment look as realistic as possible. These malware systems are much harder to develop due to the difficulty of creating multiple environments simultaneously. (Cindy, 2020) stated that high interacting honeypots (if properly installed and deployed) capture more information – the IP address, in some cases the name of the individual, type of attack, how the attack was executed and ultimately learn to better protect the network.

(Roland,2019) discussed the hybrid honeypot systems which consist of multiple honeypots with different interaction levels. By combining low, medium with high interaction honeypots, the advantage of the different honeypots can be achieved. The low or medium interaction honeypot can be used as a front end as they have the advantage that they can be deployed in large numbers. The high interaction honeypot can be used as backend which is more time consuming and deployed in small numbers. Multiple front-end honeypots are connected to the same back-end honeypot.

Besides, pure honeypots are full-fledged production systems. The activities of the attacker are monitored by using a bug tap that has been installed on the honeypot’s link to the network and no other software need to be installed.

In addition, (Honeypot_Computing, n.d) also introduced malware and database honeypots. Malware honeypot is created to simulate vulnerable apps, API and systems for the purpose of getting malware attacks. The data collected will later be used for malware pattern reconnaissance. Moreover, the database often gets attacked by intruders using SQL injection. As such activities are not recognized by basic firewalls, companies often use database firewalls for protection. Some of the SQL database firewalls provide/support honeypot architectures so that the intruder runs against a trap database while the web application remains functional.

Effectiveness of Honeypots:

Honeypots help to prevent spoofed attacks by detecting them. It cannot work towards protecting computer systems from intrusion. Some of the advantages of using honeypots are -

Ransomware Attack Prevention

(Ben, 2019) researched in his paper to examine ransomware threats to healthcare organizations. (Ponemon Institute, 2019) surveyed and found that the healthcare organization had the highest costs related to the data breach at $6.45 million, over 60% higher than the average of all industries combined.

Note. Adapted from “Cost of a data breach report,” by Ponemon Institute, 2019, p. 26 (https://databreachcalculator.mybluemix.net/). Copyright 2019 by Ponemon Institute

(Ben, 2019) described ransomware attacks targets systems in four general phases, i) installation, command and control server, key generation, and ransom payment. The infection chain begins with the ransomware executing a succession of installation startup called explorer.exe. After the installation, the communication channel is created between ransomware and the commend control server (C&C). The Key generation occurs to create encryption keys for encryption and decryption of data. The final stage of the ransomware attack is labeled demand for ransom.

Patients information is stored in cloud infrastructure. (Al-Hamid et al, 2017) described healthcare cloud computing has different concerns related to its security, including legal and policy issues, data protection, privacy protection, lack of transparency, cybersecurity issues, absence of security standards, and software licensing. Using honeypot in the fog-computing facility can enhance data privacy in health industry. A credible decoy renders it impossible for that attacker to realize that the data is not authentic. (Chen et al, 2017) presented a theoretical review of the potential value of decoys in health industry by preventing data flow that holds sensitive information, guard against data loss by reckless employee or insider threat, collapse ransomware from stealing data from organizations border.

Honeypots in industrial environments

(Danny, 2020) discussed malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyber-attacks including ransomware, cryptocurrency miners. The incidents were spotted by researchers at cyber-security company Trend Micro who built a honeypot that mimicked the environment of a real factory. A few weeks after the honeypot went live, attackers found their way in the honeypot and installed cryptocurrency mining malware to exploit the factory resource and generate bitcoin. Some of the attackers went so far as to enter commands to shutdown systems. Some other research results were also found like changing file names, opening adult websites on the browser before leaving the system.

Industrial control systems (ICS) are devices, systems, networks, and controls used to operate and automate industrial processes. An experiment was conducted to track the frequency and types of attacks via honeypot that mimicked real ICS devices and supervisory control and data acquisition. (Daniel, 2013) explained that the researchers detected the first attack attempts within 18 hours of the construction of the honeypot. It attracted 39 attacks from 11 countries. The researchers also found that the hackers were tried to modify the protocols themselves, used malware that has password stealing capabilities and features that permit backdoor access to exploit servers.

(Osborne, 2018) stated that Industrial attacks are on the rise and researchers from Cybereason revealed the result after establishing a honeypot masquerading as a power transmission substation of a major electric provider. The researchers were able to detect that attackers immediately tried to gain access to operational technology (OT) from the IT environment which acts as facilities backbone. Moreover, the assets were immediately prepared for sale in the underbelly of the internet, the Dark Web, where it was purchased and sold on to another unwitting criminal entity. The cyber attackers also disabled the security tools of one of the honeypot servers. They also moved to active directory and seek out technical data files. The result also investigated that the attackers attempted to perform remote code execution to compromise the system and lastly performed a multipoint scan on the network and leaped from the remote server on the domain controller and other systems to find an entry point. Researchers were able to determine that a unified system and organization controls (SOC) which can monitor both IT and ICS environments in the industrial sector may help to reduce the risk of compromise.

Project Honeytrain

(Paul, 2017) describes a British based computer security company Sophos in co-operation of Koramis of Germany, created project Honeytrain to determine how attacks on railway infrastructure is performed and widespread the hacking community is. Honeytrain was a virtual rail infrastructure with real hardware including computer systems and communication protocols. Moreover, a mythical customized website with general information, timetables, ticketing, and information about train disruption was also created. For each control system, a public IP address was assigned. The integration of video streams from stations and drivers’ cabs completed the holistic image of a realistic control system. Throughout the duration of the project, the network traffic as well as system events were all recorded. The infrastructure of the Honeytrain project was in operation for six weeks and in total 2,745,267 attacks were identified. At least one attempted attack was detected from almost every country in the world. Among the countries, China (41%) holds the top position. In addition, the analysis of attempted attacks revealed that the major percentage of the attack was carried out as automated dictionary attacks. In a dictionary attack, the hacker is trying to identify an unknown password using a dictionary list. In one of the attacks, two PINGS were executed in the command line and the execution program opened. It was found that the security configuration of industrial components was read out via a central tool and settings were exported. As a result, the hackers were able to activate the front lights of one mythical train. The sequence of the attacks shows that the attacker had a deep knowledge of the industrial control system. Another attack was also determined in the media server which aimed to change the website content using dictionary attacks. After analyzing all the attacks, rail crossing cyber-security strategy was established that will ensure the rail industry is prepared for cyber threats and will be ready for new legislation being introduced regarding cyber-security for critical infrastructure.

Honeypots are not a panacea

Despite the advantages of honeypots, there are also some drawbacks. The attacker can also inject fake information to a honeypot, leading to the security community to make incorrect judgments and conclusions about the attacker. Once the honeypot gets hijacked, it can be used to attack, infiltrate and harm other systems or organizations and because of which the organizations could be held liable for damages.

Overall, honeypots allow for greater surveillance and monitoring of the malicious insider activities where attacks may simply be denied by the firewall, or IDS. Its usage as an effective countermeasure to external attack is a well-proven concept. Future research in this area need to be conducted into practical implementations and deployment of internal honeypots within contemporary organizational settings.