I just heard from a client, one Mr. BW, we shall call him, that he has a smart new use for HoneyPoint Security Server in his organization. In addition to using it as designed, to capture emerging internal threats, Mr. BW has found a way to make use of HoneyPoint’s emulated web server to catch and capture malware and spyware inside his organization!
He came up with the idea of using HPSS, in conjunction with the Bleeding Snort Rule Set for Malware. He extracted the appropriate black hole DNS records and placed them on his internal DNS server. But this simply black holed the systems, and broke the connections – but did not give him the information of what the malware was seeking, passing or otherwise communicating. Thus, he changed the black hole DNS entries to point to a HoneyPoint emulated web server!
Now, when known malware triggers a bad DNS entry, the malware is redirected to the HoneyPoint. This not only alerts Mr. BW to the presence of the malware and the location of the infected PC – but – it also gives him insight into exactly what the malware is doing, what information is being transmitted and how extensive the damage may be.
Mr. BW says this gives him a unique capability to communicate the overall risks of the malware and a new tool in helping to protect his organization.
Our thanks to Mr. BW for his feedback and insight! Congrats on the forward thinking and on the adaptation of the tool to your needs!