Hackers have become more clandestine and their malware more inventive. So, organisations can no longer safely rely on defensive systems alone. They must start to take more proactive and cunning measures to detect malware before it wreaks havoc in critical business systems. One option is to set traps – and that’s precisely what honeypots are. Malware today can be incredibly devious. Sometimes it is designed to progress cautiously, performing random and staggered activities over a period of months. By moving slowly in this way, the malware can often evade defensive systems, which do not join up the activities and identify them as malicious. To make matters worse, many viruses now utilise polymorphism, the ability to change with each new infection. This makes it very hard for anti-virus manufacturers to keep up and prevent malicious software from installing on unsuspecting endpoints. A honeypot is a technique that helps organisations to defend themselves against this kind of sophisticated malware. Deliberately designed to entrap hackers and malware, honeypots run services and hold accounts that can be infiltrated. They are closely monitored electronic systems from PCs to industrial controllers that are developed to be probed, attacked or compromised. Honeypots can be placed on the Internet by companies carrying out research and development or they may be used inside a network by organisations who want early visibility that the corporate network might be compromised. A honeypot is so attractive to attack that it is likely to be the first system to be ‘owned’ by any malicious activity. In a way, it is like a canary lowered into a mine to detect gas, a bird being more susceptible than a human. Honeypots can be divided into three categories, though definitions do tend to vary: • Pure honeypots • High-interaction honeypots • Low-interaction honeypots Pure honeypots are complete copies of production systems, but the data they hold or their connections are fake, ensuring any changes made by the attacker are harmless. They are surreptitiously monitored using a tap on the network or maybe a keylogger in the operating system. The honeypot usually requires two systems, the one under attack and another to take in the logs generated by the system under attack. The aim is to make the monitoring as invisible as possible to a skilled attacker allowing greater analysis of the attack. High-interaction honeypots imitate the activities of the production systems but are closely monitored to investigate the activities of the attack. So they might run an instance of a system on a virtual environment. The system may host a variety of services, causing the attacker to waste time investigating these services and allowing the organisation time to defend against the attack. By employing virtual machines, multiple honeypots can be hosted on a single physical machine and, if a honeypot is compromised, it can be restored easily. High-interaction honeypots are more easily identified by attackers than pure honeypots, but are easier to setup and manage, though they still require a good deal of work to maintain and monitor. Low-interaction honeypots allow much more limited interaction with the hacker. As such, they can be detected by an attacker much more easily but, in production environments, they still provide early warning of infection by malware or malicious behaviour by users as they should not be accessed. The aim is to simulate services normally requested by attackers. The services presented are usually emulated and as a result cannot be infected by the exploit being attempted. These honeypots are light weight in terms of processing requirements which means multiple virtual machines can easily be hosted on one physical system. This eases maintenance, reduces the burden of monitoring and still provides useful information to an organisation. It should be mentioned that pure and high-interaction honeypots have to be monitored closely as they can be used to launch attacks if compromised, propagating themselves to other genuine systems with undesirable results. The other problem with honeypots is that they can be difficult to setup, maintain and monitor, so they are often not used as much as they might be. Customers of Redscan, however, can benefit from honeypots – without the burden of maintenance and monitoring. Redscan deploys honeypots for its customers on their network as part of its advanced malware protection suite, ThreatDetect. As a result, customers benefit from honeypots that are constantly being upgraded and enhanced to make them ever more attractive to malware and hackers; they are monitored to ensure that they are not abused; and the alarm is raised in the event of potential attacks. By combining results of the honeypots with the logs gathered from legitimate systems, regular vulnerability scans, intrusion detection results and other different views of organisational data – Redscan can identify malicious behaviour that traditional defences like anti-virus software are now missing. In addition, Redscan has a network of honeypots around the world for research purposes. Each one that is brought up, finds itself under some sort of attack within ten to twenty minutes. The advantage to us is that these devices see new attack vectors early on in the attack’s deployment. The aim is to capture a sample of the new malware by letting it infect the honeypot or by letting the hacker actually break into the system to see what they do and how they do it. Honeypots are therefore a valuable technique, helping Redscan to protect its customers from attack.
7 December 2014