A Month in the Life of a HoneyPoint Deployment

Hello. I am a HoneyPoint deployment. My administrator has deployed me on a small business network of a financial institution. I have around 25 HoneyPoints deployed throughout their network, all reporting back to my console. It has been an interesting first 30 days of my life, indeed.

It all started when I was initially deployed. The admin started my listeners on a small group of servers and a couple of virtual workstations. Almost immediately, there was trouble! In my first few hours, I picked up scans of my web server psedo-service HoneyPoints. I was getting continually bombarded by four workstations from the sales group that were probing my pseudo-web services for a whole bunch of PHP files! I alerted the admin, and she found that those four laptops had been infected with an evil bot-net that was systematically scanning our networks for vulnerable PHP applications that the human controllers would later exploit. Good thing I came online when I did, because those four sales folks had just returned from a conference in Las Vegas, and it looks like their systems should have been running my younger cousin HoneyPoint:Network Trust Agent, because they had really been compromised. Ah well, what happens in Vegas, stays in Vegas I always heard. I guess not this time.

All went well for a couple of weeks, but then I had to alert the admin again. This time I had some joker consultant who was poking at my SMTP HoneyPoints. From the looks of it, that guy was trying to send email to the Internet and was looking for an open mail relay inside our network that would let him get through our firewall. The admin had a stern conversation with him and he behaved from then on.

Then, things got really exciting!  Yesterday, a new event came into my proxy from our DMZ segment. My admin had stealthily added some HoneyPoints into the DMZ that listened for SQL database traffic on the appropriate ports. Sure enough, I suddenly caught wind of some odd packets that were hitting my listeners out there. Nothing sets me off like SQL traffic to systems that are not running SQL. I hated to have to bother the admin again, but she told me afterward that her old IDS used to send her thousands of alerts a day (and many of those were false positives!!!) – so I didn’t feel so bad after all when I sent an email to her cell phone with the news.

She came running and through some quick analysis found that an attacker had compromised one of the web-applications in the DMZ and had gained control of the web server! Of course, not knowing that I was on guard, they began to use SQL tools to search for database servers that might hold valuable data – like human credit card numbers or something called Social Security Numbers. Either way, their plan was foiled and my admin took the web server offline and rebuilt it – this time with the missing patch for the web-application hole.

So, that’s my story so far. Not too bad for my first 30 days, huh? Who would have thought that I would have such an interesting story to tell. I always feared I might not see much action, but it looks like I have found my home. I have a good admin, a cool server rack and enough security work to keep me busy. Heck, since I don’t have any signatures to update and don’t require my admin to do more than “deploy and forget” about me, I wonder what she will do with all of her new found time? Maybe she will take up a new hobby, or get to learn about something called vacation. No matter, I will be here, ever vigilant, just waiting for the next security issue to arise. Yes, sir, who could ask for more?

This entry was posted in HoneyPoint by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Leave a Reply