A honeytrap on your network can exploit hackers' desire for an easy win and enable you to catch them red-handed.
We all know what honeypots are, but, in my experience, most assume they are placed on the internet as a lure for script-kiddie hackers. They're often used for research purposes, often by universities and interest groups, to gauge how much hacker activity is going on. Many of the surveys in the press about worms and the like are based on statistics gathered from honeypots.
So there's a commonly held opinion in the security space that honeypots are an interesting source of information, but don't really have much of a place in the security make-up of a corporate network. Others have a different view: they can be an excellent last line of defence if used differently.
I have always taken the attitude of ‘what if' to security. What if your firewall is bypassed? What if your anti-virus software missed something? What if someone forgot to patch a critical box? What if one of your staff inadvertently introduced malware to your network? What if no one noticed the IDS alerts, assuming there were any?
How would you deal with the consequences; would you notice before it was too late – before your intellectual property was sold to a Far Eastern competitor, or your customer list ended up on the internet?
Here's a thought then, a really simple way to trip up even a highly skilled hacker. Why not stick the honeypot on your internal network?
Assuming some malware has given an attacker a foothold in your network, what's their next move? Maybe they got lucky and compromised an enterprise admin, but it's more likely that the account they've got access to belongs to someone with fewer access rights. So their next step is to escalate privilege on the network.
Maybe they've got a tasty zero day they could use on one of your Windows boxes, but why would they burn that if they don't have to? Why not save that for another attack, instead of running the risk of it entering the public domain and being patched? Why not look around a few common vulnerabilities instead?
So, they lightly scan your network, looking for easily exploited vulnerabilities. Something like MS08-067 – the Windows Server Service issue that Conficker took advantage of. It's got a decent exploit that's been around for a while and is ideal for escalating privileges through theft of domain password hashes. More recent options are MS12-004, and maybe MS11-050, though there are many others.
They find one of your domain controllers vulnerable. Score! The perfect box to exploit, and they'll be domain admin in moments, with access to everything on your network. Off goes the exploit, the listener is ready, waiting for the reverse shell to pop. Nothing happens, then they lose connection to their back door and can't get back in to the network. Game over.
What happened? Simple: the vulnerable domain controller was a honeypot on your network.
The honeypot is set to alert you if anyone tries to exploit it and, if so, you can choose how to respond. Maybe you isolate a network segment or even lock down outbound internet access.
Or maybe take a different tack – set the honeypot to look like an SQL server. Fill it with some plausible fake data and allow an extended stored procedure such as xp_cmdshell to be accessed. As soon as it's hit, you know that someone is trying to pinch your data.
Of all the alerts that you get, the one I would be most interested in is that from the honeypot. Something is afoot in your network and it's going on right now: no false alarms, no reams of chaff to sift through, no tuning required – something or someone is on your network and doing something malicious.
The HoneyNet project (www.honeynet.org) is an excellent source of information about free versions and more, though there are enterprise-grade commercial offerings around.
When all else in your security arsenal fails you, take advantage of the hackers' desire for an easy win: trap them with a honeypot.