Conduct Counter Surveillance on the Hackers
The Hacker See's an Unsecured Mail Server and Moves Right In. While He is Browsing Fake Employee Mail Accounts and Uploading His Tools, He Has No Idea That His Hacking Tools and Methods Are Being Collected, Analyzed and Databased to Prevent Those Tools Being Used On Your Networks or Against Your Networks in Future Attacks
What is a Honeypot?
A honeypot is a computer resource whose only purpose is to get exploited. It is a trap, but for computer criminals. An attacked and properly investigated honeypot can provide valuable information about both the attack, and the attacker. Although honeypots serve a specialized role on the network, they are disguised as a normal network resource. This makes for a more attractive target if the attacker sees them as a valuable asset to take advantage of, and not a cleverly disguised and controlled trap.
Although honeypots are a generalized concept, we typically encounter only a handful of particular applications, and it is further useful to divide them into two distinct classes.
Low Interaction Honey Pots
Low interaction honeypots are defined as such due to the limited interaction an attacker or malware is allowed. All services of a low interaction honeypot are emulated. This means that low interaction honeypots are not themselves vulnerable and will not become infected by the exploit attempted against the emulated vulnerability. These emulated services masquerade as vulnerable software or entire systems, faking the entire network dialog as the attack progresses. Most often, this process is used to collect malware, in which case the end goal is simply to collect a downloaded malware sample. A low interaction honeypot can also be used to log and report activities, as any connections are suspicious and most probably attacks.
High interaction honeypots make use of the actual vulnerable service or software, closely monitoring the system as it is actually exploited by attackers. This has an advantage over lower interaction honeypots in that it is possible to get a far more detailed picture of exactly how an attack progresses or how a particular malware sample behaves in the wild. Additionally, as emulated services are not used (which would require pre-knowledge of vulnerabilities to be exploited) a high interaction honeypot has the possibility of discovering previously unknown exploits. By their very nature, however, high interaction honeypots will likely become infected themselves, requiring the highest attention by operators to prevent the disastrous consequences further propagation to remote or even local systems. It is for these reasons that the strictest safeguards must be built around the honeypot in regards to network security policies.
Most of the honeypots Digital DNA develops and builds utilizes in the botnet hunting mission are malware collectors. These are honeypots specialized for the task of accepting exploit attempts from attackers and extracting transfered malware binaries from the transaction. These honeypots can be low or high interaction, however most are low interaction since the goal is to collect malware samples only for the purpose of blocking these tools from operating within your networks and blocking it from entering or re-entering your networks.
Build and price your honey-pot today