Category Archives: HoneyPoint

What is this HoneyPoint Thing Anyway?

Posted on by
6

Launched in 2006, initially as a distributed honey pot product, HoneyPoint Security Server (HPSS) has grown well beyond the initial concept. Today HPSS is a platform of components woven into a tightly integrated, fully capable, extremely flexible threat detection product. Organizations around the world are using it as a means of early detection of internal and external attackers, malware outbreaks and signs of users poking around where they shouldn’t be. Mature organizations have leveraged the product as a means of deterring attacks through automated black holing of scanning hosts on their perimeter, embedded detective controls inside their web applications to cut off users violating their terms of service and gather real world threat metrics to feed back into their mature risk management initiatives.

 

In the world of ICS/SCADA, HoneyPoint has found a quickly growing set of fans. HPSS can be deployed in a completely passive way that has no chance of interfering with critical operations, yet still brings incredible detection capability and vision into even the most sensitive of networks. ICS/SCADA environments have traditionally embraced the honeypot ideal, coining the term “canary” for these tools, but never before have they had such an easy to use, distributable, centrally monitored honeypot capability like HoneyPoint brings to the table.

 

Over the next few months, we will be deep diving into each of the HPSS components, but for now, as a high-level overview, here is a quick and dirty explanation of each of them:

 

  • HPSS Console – This is the central “brain” of the product. Designed as an easy to use GUI application, it receives the alerts detected by the sensor components and presents them to the user for analysis. It includes the “plugin” capability which allows for additional reporting and security automation based on the event data detected. The Console provides for “point and click” easy integration with SEIM products for clients who have deeper back-end data aggregation systems in place.
  • HoneyPoint Agent – This is the original HoneyPoint detection capability. Agent creates “fake services” on the network that have no real use other than detection. Since the services aren’t real, any interaction with them is “suspicious at best and malicious at worst”. Agent is capable of emulating a great variety of services and is completely user configurable. Agent runs on Windows, Linux and OS X. 
  • Wasp – Wasp is HoneyPoint’s hybrid client for Windows systems. It offers many of the port dilation features of Agent, but layers on top of that a whitelisting detection mechanism, file change detection for key files and some simple heuristics to identify the most common signs of intrusion. Tiny footprint, immense flexibility, self tuning whitelisting and no interference with operations make it an excellent choice for critical infrastructure use.
  • HoneyPoint Web – This is a completely emulated web environment with a mock up of applications that the organization uses. The entire environment is “fake” and studded with detection mechanisms that capture and measure attacker behavior, intent and capability. It might seem to be a new version of a banking application “accidentally” exposed to the Internet, or a replica of an HMI or maybe a login portal for Sharepoint/VPN or some other mechanism. What it really is is a detection mechanism for the good guys. Completely customized, able to detect the difference between a human attacker and most malware, it offers organizations a deeper, sneakier way to detect illicit behavior and measure the attacker attention various attack surfaces receive.
  • HoneyElements – Embeddable HTML and Javascript objects that can be added to new or existing real web applications, these HoneyPoints extend detection into the layers of the application itself. Integrates well with automated response and attacker black holing defenses to stop attackers and those engaging in undesired behaviors in real time.
  • HoneyBees – These work with Agent to simulate users authenticating to emulated services with plain text credentials. Organizations use this combination of tools to detect sniffing attacks and other attempts to harvest credentials off the wire or from network monitoring systems. 
  • HoneyPoint Trojans – Trojans are “fake” documents, applications or archives that appear to be real, but are actually detection mechanisms. For example, they might appear to be a PDF of some acquisition plans, while in reality they are armed with code to alert the security team when they have been opened or tampered with. Trojans use many of the same tactics as attackers, but instead of infection as a goal, they provide for detection and alerting.
  • HoneyPoint Handler – The Handler is a mechanism for getting external events into the HoneyPoint data ecosystem. Organizations often use the handler to receive events generated by custom nuance detection scripts. For example, a script might routinely check for new files in a directory or new files that contain the call base64decode(). When the script identifies a new file, the script can send an alert to the Handler, which will create a standard HoneyPoint alert from the script’s data and send it to the Console for easy and standardized security event management.
  • HoneyPoint Decoy Appliances – This is a set of hardened Linux powered devices that serve as an appliance for other components, usually Agent and Web. The appliances are available in three physical form factors (a rack mountable server, a mini-desktop, and a field deployable power substation solid state system) and/or a set of virtual appliances for most common virtualization platforms.
  • HoneyPoint Proxy – Lastly, this component is designed to act as an alerting data aggregator to simplify firewall ACLs that might be deployed between DMZ segments, enclaves or other network segments. The proxy can receive events from HoneyPoints and send them on to the Console without the need to expose the Console to each individual HoneyPoint. This makes managing global and highly distributed deployments significantly easier.

 

To learn more about these components and how they can be leveraged to give your organization new, flexible and deep detection capabilities, give us a call. Our engineers would be glad to discuss the technical capabilities and an account executive would be happy to work with you to create a HoneyPoint deployment that meets your needs AND your budget. At MicroSolved, we are passionate about information security and HoneyPoint Security Server is just another that way it shows!

HoneyPoint HoneyBees Help Catch Sniffers

Posted on by
3

GlobalDisplay Orig

HoneyPoint has a component called a HoneyBee that can help organizations detect sniffing on their networks. The tool works like this:

  • HoneyBees are configured to talk to HoneyPoint Agents with a set of known credentials for an Agent emulated service
  • HoneyPoint Agent knows where the HoneyBees will be connecting from and those hosts are added to the local ignore list for that Agent
  • HoneyBees randomly create emulated “conversations” with HoneyPoint Agent in plain text, transmitting their credentials across the network for sniffers to pick up
  • The attacker or sniffing malware grabs the credentials through their sniffed traffic
  • The attacker or malware attempts to use those same credentials to authenticate to the HoneyPoint Agent
  • HoneyPoint Agent flags the authentication attempt as tampered traffic and alerts the security team to take action

By properly configuring the setup, this approach makes for a very effective tool to catch sniffing malware and attackers. Backing the credentials up with other detection mechanisms, such as in web applications and on AD forests can extend the approach even further. Our team has helped organizations stand up these kinds of nuance detection schemes across a variety of platforms. 

Even though the approach seems quite simple, it has proven to be quite adept at catching a variety of attacks. Customers continue to tell us that HoneyBees working with HoneyPoint Agent have been key indicators of compromise that have led them to otherwise undetected compromises.

HoneyBees are just another example of some of the ways that people are using the incredible flexibility of HoneyPoint to do nuance detection more easily than ever before. Gaining vision where they never had it has paid off, and HoneyPoints ability to turn vision into intelligence has proven itself over and over again.

To discuss HoneyPoint, HoneyBees or other forms of nuance detection, get in touch with MicroSolved. We would be happy to discuss how we can help your organization get more vision all around your enterprise.

Exposed Terminal Services Remains High Frequency Threat

Posted on by
4

GlobalDisplay Orig

Quickly reviewing the HITME data gathered from our global deployment of HoneyPoint continues to show that exposed Terminal Services (RDP) on port 3389 remains a high frequency threat. In terms of general contact with the attack surface of an exposed Terminal Server connection, direct probes and attacker interaction is seen on an average approximately two times per hour. Given that metric, an organization who is using exposed Terminal Services for remote access or management/support, may be experiencing upwards of 48 attacks per day against their exposed remote access tool. In many cases, when we conduct penetration testing of organizations using Terminal Services in this manner, remote compromise of that service is found to lead to high levels of access to the organization’s data, if not complete control of their systems.

Many organizations continue to use Terminal Services without tokens or VPN technologies in play. These organizations are usually solely dependent on the security of login/password combinations (which history shows to be a critical mistake) and the overall security of the Terminal Services code (which despite a few critical issues, has a pretty fair record given its wide usage and intense scrutiny over the last decade). Clearly, deploying remote access and remote management tools is greatly preferred behind VPN implementations or other forms of access control. Additionally, upping Terminal Services authentication controls by requiring tokens or certificates is also highly suggested. Removing port 3389 exposures to the Internet will go a long way to increasing the security of organizations dependent on RDP technology.

If you would like to discuss the metrics around port 3389 attacks in more detail, drop us a line or reach out on Twitter (@microsolved). You can also see some real time metrics gathered from the HITME by following @honeypoint on Twitter. You’ll see lots of 3389 scan and probe sources in the data stream.

Thanks for reading and until next time, stay safe out there!

Security Experimentation with HoneyPoint

Posted on by
1

One of the best uses of HoneyPoint is using it to test your assumptions, model risk or otherwise perform experimentation.

If your management team would benefit from understanding how quickly a new web application will be targeted and attacked when deployed, a quick mock up with HoneyPoint can give them that data. If you want to prove to the development team that attackers will find XSS vulnerable apps, a quick publish of a HoneyPoint web app with the XSS vulnerability enabled will get you metrics to support your assertion.

That’s one of my favorite uses of HoneyPoint: to quickly, easily and safely build real world metrics that answer my questions. Sure, it’s a great tool for defense and detection. But I really love using it to scratch my own itch for real world data. 

Audio Blog Post: Defensive Fuzzing and MSI’s Patent

Posted on by
1

What goes into getting a patent? The answer would be: a lot of work! Brent Huston, CEO and Founder of MicroSolved, Inc., talks with Chris Lay, Account Executive, about MSI’s first patent for HoneyPoint’s defensive fuzzing capability. In this audio blog post, you’ll learn:

  • What is the patent about?
  • What is defensive fuzzing?
  • What went into the patent process?

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!

How Honeypots Can Help Safeguard Your Information Systems

Posted on by
3

 

 

 

 

 

 

 

A honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.

It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon what you are trying to achieve.

There are two different types of honeypots: production and research. Production honeypots are typically used by companies and corporations. They’re easy to use and capture only limited information.

Research honeypots are more complex. They capture extensive information, and used primarily by research, military, or government organizations.

The purpose of a production honeypot is to mitigate risk to an organization. It’s part of the larger security strategy to detect threats. The purpose of a research honeypot is to collect data on the blackhat community. They are used to gather the general threats against an organization, enabling the organization to strategize their response and protect their data.

The value of honeypots lies in their simplicity. It’s technology that is intended to be compromised. There is little or no production traffic going to or from the device. This means that any time a connection is sent to the honeypot, it is most likely to be a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As we say about our HoneyPoint Security Server, any traffic going to or from the honeypot is, by definition, suspicious at best, malicious at worst. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity. What are the advantages to using honeypots?

  1. Honeypots collect very little data. What they do collect is normally of high value. This eliminates the noise, making it much easier to collect and archive data. One of the greatest problems in security is sifting through gigabytes of useless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format.
     
  2. Many security tools can drown in bandwidth usage or activity. NIDs (Network Intrusion Detection devices) may not be able to handle network activity, and important data can fall through the cracks. Centralized log servers may not be able to collect all the system logs, potentially dropping logs. The beauty of honeypots is that they only capture that which comes to them.

Many of our clients swear by our HoneyPoint family of products to help save resources. With its advantages, it’s easy to see why! Leveraging the power of honeypots is an excellent way to safeguard your data.

 

How HoneyPoint Security Server Minimizes Risk For Your Network

If you’re looking for a security tool that goes beyond NIDS, you’re in luck.

MicroSolved’s HoneyPoint Security Server has revolutionized the ease and power of what honeypots can do and be. With the emergence of HoneyPoint Wasp, you can also apply the HoneyPoint magic to your Windows desktops. 

HoneyPoint Wasp monitors your desktops for any new applications it has not seen before (Anomaly Detection). Should Wasp detect new code, the end-user will never see a pop-up alert. Instead, you will be notified and able to quickly take action. Should the notification go without follow-up action, HoneyPoint Wasp assumes the allowed application, and no future notification will be sent to the console (Self-Tuning White Listing).

As you’ll see in a moment, the HoneyPoint Security Server is much more than a mere intrusion detection system.. It’s an underlying framework of rock-solid code that’s been built to achieve three important goals: identify real threats, isolate and tamper with the attacker’s results, and “smart” detection processes that allow you to target attacker availability.

Let’s take a look at each of these goals, and why they matter to what you’re doing online…

Click to continue…

HoneyPoint Agent Helps Another Client

Posted on by
2
Just got an interesting report in from another client helped by HoneyPoint Agent. This time, the client detected a probe against a SQLServer port that seemed to be coming from several hosts on their internal network.
 
The probe was aimed at identifying SQLServer installations, and while the story seems familiar, the probe itself was different. In this case, the client had network-based intrusion detection tools and other elements of signature-based visibility. However, the probe they were seeing was a new type of probe and signatures had not yet been created. Thus, the signature-based tools were basically blind to detecting the scans of this malware, even while it was beginning to spread across their environment.
 
HoneyPoint Agent on the other hand, simply detected the illicit traffic. Since deployed HoneyPoints are not real services, any contact with them should be considered suspicious at best or malicious at worst. In this case, the traffic was indeed malicious. HoneyPoint tipped them off to the source IP’s of the scanning and even gave them the data they needed to build network signatures for their network-based detection tools. Several hours later, they had significant intelligence into the scope, capability, source and methods of what they were facing. HoneyPoint had not only served as an early warning system, but had also given them the knowledge to grow their visibility to the overall impact of the security incident.
 
I love it when customers tell us about how HoneyPoint helped them in a time of need. I truly appreciate it when they catch malware early on and get to take quick, decisive defensive action. We might not win all of the battles in the infosec war, but when we do win a few and something we made helps turn the tide, it makes the MSI team very happy indeed!

HoneyPoint Internet Threat Monitoring Environment: An Easy Way to Pinpoint Known Attacker IPs

Posted on by
2

One of the least understood parts of MicroSolved is how the HoneyPoint Internet Threat Monitoring Environment (#HITME) data is used to better protect our customers.

If you don’t know about the #HITME, it is a set of deployed HoneyPoints that gather real world, real time attacker data from around the Internet. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. You can even follow the real time updates of attacker IPs and target ports on Twitter by following @honeypoint or the #HITME hash tag. MSI licenses the data under Creative Commons, non-commercial and FREE as a public service to the security community.

That said, how does the #HITME help MSI better protect their customers? First, it allows folks to use the #HITME feed of known attacker IPs in a blacklist to block known scanners at their borders. This prevents the scanning tools and malware probes from ever reaching you to start with.

Next, the data from the #HITME is analyzed daily and the newest, bleeding edge attack signatures get added to the MSI assessment platform. That means that customers with ongoing assessments and vulnerability management services from MSI get continually tested against the most current forms of attack being used on the Internet. The #HITME data also gets updated into the MSI pen-testing and risk assessment methodologies, focusing our testing on real world attack patterns much more than vendors who rely on typical scanning tools and backdated threats from their last “yearly bootcamp”.

The #HITME data even flows back to the software vendors through a variety of means. MSI shares new attacks and possible vulnerabilities with the vendors, plus, open source projects targeted by attackers. Often MSI teaches those developers about the vulnerability, the possibilities for mitigation, and how to perform secure coding techniques like proper input validation. The data from the #HITME is used to provide the attack metrics and pattern information that MSI presents in its public speaking, the blog, and other educational efforts. Lastly, but certainly not least, MSI provides an ongoing alerting function for organizations whose machines are compromised. MSI contacts critical infrastructure organizations whose machines turn up in the #HITME data and works with them to mitigate the compromise and manage the threat. These data-centric services are provided, pro- bono, in 99% of all of the cases!

If your organization would be interested in donating an Internet facing system to the #HITME project to further these goals, please contact us. Our hope is that the next time you hear about the #HITME, you’ll get a smile on your face knowing that the members of our team are working hard day and night to protect MSI customers and the world at large. You can count on us, we’ve got your back!

HoneyPoint Tales: Conficker Still Out There

Posted on by
3

I had an interesting conversation this week over email with a security admin still fighting Conficker.

If you haven’t recalled Conficker in a while, take a moment and read the wikipedia entry here: (http://en.wikipedia.org/wiki/Conficker). Back in 2008, this nasty bugger spread across the net like wild fire. It was and is, quite persistent. 

Back in those days, we even put out a free version of HoneyPoint called HPConficker to act as a scatter sensor for detecting infected hosts on networks around the world. That tool expired eventually, and to be honest, we stopped really tracking Conficker back in 2010 to move on to studying other vectors and exploits. I hadn’t even thought about the HPConficker tool since then, until this week. 
 
In order to help this admin out as they battled the worm, I came in on a vacation day, dug the old code out of the source vault and updated it to run through the end of 2012. I then built a quick compile, zipped it (in my hurry forgetting to remove the OS X file noise) and sent it on to the sales person who was helping the client directly. When I heard that the zip file with OS X noise was a problem, I quickly cleaned the zip and sent it back up to the server for them to re-download, install and use. Sadly, I haven’t yet had time to build a readme file or the like, but the tool is pretty easy to use. Unzip it with folder extraction enabled, execute it and follow the GUI instructions. I haven’t heard back from my new security admin friend, but I hoped it helped them fight the good fight.
 
I took a couple of key points from this: 1) Conficker is still around and causing trouble; and 2) Helping people with HoneyPoint is still one of the core reasons I do what I do.
 
I may not say it often enough, but, thanks to all of you for playing with my toys. Since 2006, the knowledge gained, the insights and the outright chance to help people with my software has been a great joy. I look forward to pursuing it for many years to come. 
 
Keep playing with HoneyPoint. Keep talking to us. We want to engage, and we want to help YOU solve YOUR problems. At the core, that’s what MSI is all about. As always, thanks for reading and stay safe out there!
 
PS – We haven’t decided if we are going to release the tool again. If you want it and it can help you, drop me a line in the comments, send me a tweet (@lbhuston) or get in touch. Even if we don’t push it out in public on the site, it’s here if you need it…

Speed Bumps and Information Security

Posted on by
2

On Twitter, Brent Huston (@lbhuston), CEO and Security Evangelist, posed this question: Does the introduction of speed bumps into a neighborhood reduce overall burglaries and  petty crime?

There was some speculation that it may not impact burglaries but could impact violent crime. An Oakland study showed that bumps decrease the casual traffic pattern by 33%. As it turns out, speed bumps decrease speeding by 85%. Less casual traffic means less scouting for break-ins. So, speed bumps make you more secure. A study done by the Portland Bureau of Transportation shows a full examination of the impact of speed bumps.

Although speed bumps may deter criminal traffic, there’s a good possibility that the criminals just head toward an area that doesn’t have speed bumps. The same can be true with hardening your home security. If you take precautions and make your home more difficult to enter, the burglar may instead target one of your neighbor’s homes.

Although there may be instances where criminal activity increased due to speed bumps, those are not common and serve as the exception rather than the rule. Still, logic dictates that with more controls comes a decrease in crime. (Less speeding, less petty crime.)

And if you do find yourself in a neighborhood with speed bumps, slow down. They can sometimes break the cars of speeders

This leads us to the next question: What do speed bumps tell us about information security?

Can minor annoyances to attackers increase our overall security? What kind of speed bumps can you think of that might help?
 
Of course, honeypots, especially those that do misdirection and black holing are good cyber speed bumps. Curious about using honeypots as your deterrent against attacks? Give us a call and we’ll show you how to put a few of these “speed bumps” into your network. We promise they won’t damage your alignment!