Active Defense And Honeypots For Small Business

A honeypot is the classic tool of active defense and can be used very effectively by small businesses to improve their security posture.
Fig 1: A honey pot says to an attacker: ‘cmon, don’t you just want a taste’?

The term ‘active defense‘ describes using limited ‘offensive’ cybersecurity tactics in order to make things much more difficult for attackers. This doesn’t mean ‘attacking the attacker’; that’s illegal.

Instead, active defense means engaging in deceptive activities in order to confuse, slow down, trip up, and make an attacker give up as they attempt to attack your network.

However, active defense has an important component which is even more valuable to small businesses: generating specific alerts that can be used to automatically trigger a series of defensive measures to protect your network, assets, and data.

Perhaps more importantly, active defense is free or extremely low cost. This means that active defense can provide an extremely high value proposition because the cost of implementation is low, but the potential benefits are very high.

In order to understand how active defensive tactics work, let’s look at the most common example: the classic honeypot.

What Is A Honeypot?

A traditional honeypot is a fake, or dummy, computer that is set up to trick attackers into interacting with it.

Like the real computers at your organization, a honeypot sits on the network. Unlike a real computer, it doesn’t have a function. But to anyone poking around the network (i.e. an administrator or an attacker), it looks like a real computer.

As with real computers, it can be interacted with in a lot of ways. It responds to ping and has some services running. It’s important that it’s set up to look as real as possible. In fact, we want the honeypot to be both as real-looking and as an enticing as possible to an attacker – without it being obvious that it is, in fact, a honeypot.

How a Honeypot Works

Unlike a regular computer, our honeypot isn’t actually used by employees. It isn’t actually hosting any services used by others on the network. So if anyone does interact with it, we know that’s weird. No one should be trying to actually connect to it.

The only people who should be interacting with it at all should be IT administrators. If someone is interacting with it and they aren’t an admin, we know that they are probably up to no good.

But attackers will probably interact with it. We actually want them to, which is why we need to make it interesting to them. The more they interact with the honeypot, the better. It gives us information about them, slows them down, and gives them false information.

One of the first things attackers do when they get onto a network is to enumerate all of the computers and devices on it. This is called host discovery. During host discovery, they will quickly find the honeypot along with the other ‘real’ computers. So what we do is to set up alerts so that anyone performing host discovery on our honeypot will generate a lot of alerts that notify us to their presence. They won’t know what’s happening but on the backend, we will be able to see that someone is snooping around the network.

Unlike most alerts generated by normal activities, these alerts are special because they are coming from the honeypot. We can easily set rules in our firewall, SIEM, or XDR solution to detect and respond based on these alerts specifically. In other words, while most alerts are like a needle in a haystack, this alert is like a whole cow in a haystack. It’s pretty hard to miss.

Anytime they discover a computer, attackers will try to determine what services are running on it by scanning its TCP and UDP ports. This is called port scanning, and it will generate a lot of alerts. Depending on the services we’ve set up, the attackers will start to interact with the target in other ways. For example if we’ve set up a fake SMB file share then the attackers may try to enumerate the share; see if they can get anonymous access; check for misconfigurations; and even try to brute-force their way in.

As mentioned, we want to make our honeypots attractive to attackers so that they will spend more time interacting with it, generating alerts and wasting their time.

Knowing this, we can set up alerts and responses based on our organizational priorities.

Another great thing about honeypot generated alerts is that they will often be generated during the early stages of an attack. In our honeypot example, our attacker would likely be detected in the first phase of their attack.

Once an alert is triggered, we can investigate or take manual or automated action. For example, we can have the network firewall block the IP address from connecting to the network at all.

This kicks them off the network, but a skilled attacker will just change their IP address and try again. We can temporarily shut down all traffic from the internet, preventing a would-be attack completely while still keeping our internal network running. Or, we can simply monitor the activity more closely.

Other Benefits of Honeypots

There are other benefits of honeypots that may not be obvious at first glance.

First, any time spent by the attacker in interacting with it is essentially wasted. We’re wasting their time, which is the most valuable resource they have.

Second, we’re feeding them faulty information. They think that a computer is on the network that really isn’t there. That computer may be hosting services which don’t really exist.

This also helps waste their time, and it also makes the entire attack more frustrating because they don’t actually know what is real and they need to operate using the information that they get. So we’re directly their ability to perform the attack by contaminating the information by which they operate.

Honey Everything

Traditional honeypots aren’t the only tactic we can use. We can extend the idea of a honeypot – a fake computer – to lots of honey…things.

In the next section, we’ll look at things like honey ports, honey services, and honey users.

We can use the same principle behind the honeypot to create lots of enticing objects for attackers to interact with. In doing so, we can create a layered active defense against attackers at every stage of their attack.

Honey All the Things

In this lesson, we’ve learned that a traditional honeypot is essentially a fake computer designed to be interacted with attackers. We also learned that there are a lot of benefits to using them:

  • Honeypots can detect an intruder very early in the attack process
  • They feed the attacker bad information
  • They waste the attacker’s time
  • They give us alerts and other helpful information we otherwise wouldn’t have had – we can learn about how the attacker works; how skilled they are, etc.
  • They can be set up for free or at very low cost

Classic honeypots aren’t the only tool in our arsenal. Virtually any device, service, or feature can be set up to function as a type of honeypot. If we’re careful, we can use them to thwart attackers at every stage of the attack process.

Let’s see some other honey tools we can leverage!

  • Honey user – A fake user on a computer or in the domain. Extremely easy and 100% free to set up! No one should be trying to login as this fake user, so we’ll know something is up when an attacker does.
  • Honey port – A port set up on a computer that doesn’t have a purpose other than to flag an attacker trying to enumerate (get information about / interact with) it. The HoneyPorts project (https://github.com/adhdproject/honeyports) is great.
  • Honey email address – A fake email address; can be used to help identify phishing attempts. Both M365 and Google Workspace make setting up a honey email address free and easy using aliases.
  • Honey web server – A seemingly normal web server that can be used to identify attackers. There are some great free, open source honey web servers that have advanced features to trick attackers even more.
  • Honey file – You can set up a file that will trigger defensive protocols when accessed. This is great to use on a critical system like a database or file server. These can be set up, for example, with a canarytoken (https://www.canarytokens.org/) to automatically give us details about the attacker and their computer system.
  • Honey SSH – An SSH honeypot like Cowrie (https://github.com/adhdproject/cowrie) will allow the attacker to interact with an extremely convincing shell. This will allow us to see the commands and tactics used by the attacker!
  • Honey share – SMB shares are extremely common in Windows environments and attackers will attempt to interact with them in a variety of ways. Chances are, you already have a computer running SMB that you can add a honey share to.

Since honeypots (and other honey-things) are so cheap and easy to use, we believe that they can be particularly useful to small businesses as a way to dramatically improve security.