Reverse Deception: Organized Cyber Threat Counter-Exploitation (74 page)

Patch levels
If a honeypot’s patch level is too old, your honeynet will be filled with an increased level of junk data, such as older worms, botnets, and less skilled attackers. If your patch levels are up to date, you may miss a recent or ongoing attacker who might have already infected other owned networked systems and is attempting to infect your honeynet. Best practices recommend that honeypot patch levels remain generally 30 to 45 days behind the rest of the production network. This will increase the probability of capturing a robust data set.

Data Analysis

Honeynet analysis is typically a three-part approach made up of network, host, and binary analysis. In this section, we will discuss various methods that can be employed to analyze captured honeynet data.

The only difference between analyzing production systems and honeynets is the point of view of the analyst. When analyzing production networks, it is important to identify the proverbial needle in a haystack to identify the malicious or unauthorized activity. When analyzing honeynet data, it is critical that the analyst understands every network flow is a needle and must be properly categorized. The analyst must scrutinize all of the seemingly innocuous activity, as this activity can be the most rewarding in regard to identifying attackers within your network. An analyst can perform real-time or post-mortem analysis. However, the true values of honeynets are their ability to provide real-time intelligence of current threats when they cross the path of the honeynet (the honeywall) during an intrusion attempt or active exploitation.

Honeynet Layers
   The layers or types of captured data come in three forms: network, host-based, and the data collected by your network devices between the network boundary and the honeynet. Each of the honeynet components has layers that can be analyzed to identify the full extent of attacker activity within your network. The external honeynet (production) has the following layers:

Router logs
These can be logs from any router in the path of the attacker into the honeynet, or other parts of the network, that could be affected by the attacker.

Firewall logs
These can be logs from production network- or host-based firewalls that may have been touched by the attacker.

Server/workstation logs
These are brought into use after the analysis of the honeypot has been performed and the analyst has identified a specific injection vector, methods, or means of an attack, and needs to validate this information against production assets in an attempt to identify if the attack has spread into the production network.

IDS/IPS logs
These logs can validate any possible flows but are typically unreliable if the traffic has made it into the honeynet. An analyst will generally find traditional honeynets completely useless beyond analyzing IP-to-IP communications.

Antivirus logs
These logs can help identify if previous malware alerts were due to current or ongoing attacker activities.

The network (honeynet) has the following layers:

Time/date stamps
This layer provides a period or time frame for the analyst to review the events of the attacker.

Argus flow data
This layer provides the analyst with common network flow information regarding IP-to-IP communications between attackers and honeypots.

Snort IDS
This layer provides information based on the attackers’ ability to manipulate their activities in order to bypass traditional IDS signatures.

Snort IPS
This layer will attempt to identify and prevent specific activity that moves across the honeywall.

Passive operating system fingerprinting (p0f)
This layer will attempt to identify which platform the attacker is leveraging to interact or attack your honeypots or production assets.