Creation of Proactive Defense Network

Initiative

Outside of the Box Thinking to Improve Defense

Beyond common and standard cyber defense practices it is sometimes needed to add significant extra depth with proactive defense. When our client was under repeated, consistent attack on their systems, we were commissioned to add an extra buffer layer of security via an advanced honeynet with deep and intricate honeypot targets, simulated networks, devices and documents.

 

To thwart the growing sophistication of cyber threats, SEIRIM integrated honeypot systems parallel and separate to, but 'nearby' their security architecture to better absorb, detect and analyse attacks.

PROJECT AIMS

Objectives

Add Buffer to Main Networks

With the corporate networks under continual attack, and without other preventions proving effective enough, it was decided to add another angle of defense. One role of the honeynet was to absorb some volume of attacks.

Enable Easy Management of the Honeynet

Priority was placed on including an easy to monitor interface and database of historical record of the honeynet and system's activity, without creating an IT maintenance burden for the client's overwhelmed team.

Honeynet Does Not Affect Broader System

The client was clear that they did not wish for the honeynet and other components to interfere with other aspects of their network and systems. Not interfering with existing systems was as high of a priority as anything else.

Connection of Honeynet Tracking Data to SIEM

Whilst deployed as a separate, not connected network to the active networks, its logs are synced and streamlined to the client's SIEM system for easy monitoring and comparison with activity in other segments.

AT THE HORIZON

Challenges

Strategic Placement

Deciding where to place honeypots within the network to maximize interaction with potential attackers while ensuring no overlap with critical assets.

Configuration and Management

Configuring honeypots to appear as legitimate network parts and managing them effectively to gather valuable data.

Technical Performance

The system needed to succeed as an effective honeynet and proactive defense against all attacker sophistication levels, including advanced ones that could detect its false nature.

Strategic

Solutions

Open Source Plus Custom Implementations

We used wherever possible open source components to save costs and make the implementation possible. We customise most all components, to ensure their uniqueness and avoid detection as a honeynet.

High Detail for Ideal Verisimilitude

We spent a lot of time along with the clients to fabricate exceedingly realistic and plausible operating systems, server types, networks, files, users and more to create a quite believable honey net environment.

Depth of Network and Systems

We wanted the system to be "sticky" and succeed in wasting the time, bandwidth and resources of the attacking parties to slow them down in a wide variety of ways.

High Detail Logging and Reporting

The system records all traffic, activities, successful and otherwise intrusions and interactions to help provide the clients and SEIRIM with more useful data to help improve this system and their overall posture.

Precision Impacts

The Results

Data collected from the honeypot helps understand attack trends and refine the existing threat models
Honeypot data with the existing SIEM for enhanced situational awareness and response coordination
A sample request captured by SIEM originating from a Russian IP exploits the vulnerable SMB service
Multiple honeypots on isolated but internet-facing segments of the network to ensure they were attractive targets for attackers
A running docker instance on port 8443 poses as a CISCO VPN login
Citrix honeypot login on port 443.
multifaceted approach

Strategies Implemented for the Honeynet Network for Proactive Defense

SEIRIM, a cybersecurity firm known for its penetration testing and security consulting services, has always been proactive in adopting innovative security solutions to safeguard its extensive digital infrastructure. Recognizing the growing sophistication of cyber threats, SEIRIM integrated a broad honeynet network of honeypot systems parallel to the client's security architecture to better detect, absorb and analyse attacks.

Assessment and Planning

We have conducted a risk assessment to identify the most likely attack vectors and the best locations for honeypot deployment. We chose a diverse set of honeypot technologies to simulate various services and systems, ranging from SSH to HTTP servers, to attract different types of attackers.

Implementing the Honeypots

Deployed multiple honeypots on isolated but internet-facing segments of the network to ensure they were attractive targets for attackers but had no access to actual production data.

Multiple honeypots were used in the network

  • Cowrie - A medium-interaction SSH and Telnet honeypot designed to log brute-force attacks and capture entire session data.
  • Dionaea - A low-interaction honeypot focused on capturing malware, particularly those that propagate via vulnerabilities in network services.
  • Honeytrap - A hybrid honeypot that mimics multiple network services to attract various attack types.
  • Glutton - A network daemon designed to handle large volumes of connections, providing data on network scanners and volumetric attacks.
  • Elasticpot - Specifically simulates an Elasticsearch instance, targeting attackers exploiting Elasticsearch vulnerabilities.
  • Rdpy - A honeypot that simulates Remote Desktop Protocol (RDP) services, capturing attempts to exploit Windows systems.
  • More honeypot options for reference.

ELK Stack as the core of our honeypot data analysis

  • Elasticsearch - Handles the storage of logs and attack data, providing scalable and fast search capabilities.
  • Logstash - Responsible for collecting, parsing, and filtering logs from the various honeypots, ensuring data is standardised and ready for analysis.
  • Kibana - Provides a visual interface for exploring and analysing the data collected by the honeypots. Custom dashboards were created to track specific metrics like attack trends, IP addresses, and payloads.

Suricata Implementation

Suricata is an IDS/IPS engine used to analyse network traffic in real-time, providing an additional layer of detection and alerting based on predefined rulesets.

Customised Docker Images

We customised Docker images for each honeypot, optimising them for our specific environment. This involved tweaking configurations to increase performance, add additional logging capabilities, and integrate seamlessly with our monitoring tools. By doing so, we enhanced the honeypots' ability to capture detailed attack data while minimising resource consumption.

Enhanced Data Correlation and Analysis

We integrated the ELK Stack with Suricata logs, enabling a multi-layered analysis approach. This allowed us to correlate network traffic with honeypot events, providing a richer context for understanding attacks. The correlation between honeypot activity and network traffic logs uncovered more sophisticated attack patterns, offering deeper insights into the attackers' methods and tools.

Real-Time Monitoring and Alerting

By using Suricata and the ELK stack, we built a real-time monitoring and alerting system. This system didn't just monitor honeypot health; it actively tracked attack trends and system performance, triggering alerts for unusual activity. This proactive monitoring allowed us to respond quickly to new types of attacks or system issues, ensuring the honeynet remained effective even under heavy load.

Continuous Improvement Loop

Our approach to maintaining the honeynet involves a continuous improvement loop. We regularly review logs, attack data, and system performance to identify areas for enhancement. For example, based on attack trends, we added new honeypots to target specific vulnerabilities being actively exploited. We also fine-tune IDS/IPS rules in Suricata to improve detection accuracy. By constantly iterating on our setup, we ensured that the honeynet stayed ahead of evolving threats.