HoneyPoint HoneyBees Help Catch Sniffers

GlobalDisplay Orig

HoneyPoint has a component called a HoneyBee that can help organizations detect sniffing on their networks. The tool works like this:

  • HoneyBees are configured to talk to HoneyPoint Agents with a set of known credentials for an Agent emulated service
  • HoneyPoint Agent knows where the HoneyBees will be connecting from and those hosts are added to the local ignore list for that Agent
  • HoneyBees randomly create emulated “conversations” with HoneyPoint Agent in plain text, transmitting their credentials across the network for sniffers to pick up
  • The attacker or sniffing malware grabs the credentials through their sniffed traffic
  • The attacker or malware attempts to use those same credentials to authenticate to the HoneyPoint Agent
  • HoneyPoint Agent flags the authentication attempt as tampered traffic and alerts the security team to take action

By properly configuring the setup, this approach makes for a very effective tool to catch sniffing malware and attackers. Backing the credentials up with other detection mechanisms, such as in web applications and on AD forests can extend the approach even further. Our team has helped organizations stand up these kinds of nuance detection schemes across a variety of platforms. 

Even though the approach seems quite simple, it has proven to be quite adept at catching a variety of attacks. Customers continue to tell us that HoneyBees working with HoneyPoint Agent have been key indicators of compromise that have led them to otherwise undetected compromises.

HoneyBees are just another example of some of the ways that people are using the incredible flexibility of HoneyPoint to do nuance detection more easily than ever before. Gaining vision where they never had it has paid off, and HoneyPoints ability to turn vision into intelligence has proven itself over and over again.

To discuss HoneyPoint, HoneyBees or other forms of nuance detection, get in touch with MicroSolved. We would be happy to discuss how we can help your organization get more vision all around your enterprise.

Audio Blog Post: Moving Toward Detection in Depth

Brent Huston, CEO and Security Evangelist for MicroSolved, Inc., explains how organizations need to move from a focus on prevention to detection.

Joined by MSI’s Account Executive Chris Lay and Marketing Communication Specialist Mary Rose Maguire, Brent maps out how an organization can get detective controls closer to the data and shows that IT departments can have a “payoff” if they pursue nuanced detection.

Click here to listen to the audio post!

Audio Blog: Brent Huston – HoneyPoint Security Server Manifesto Part Two

We continue our interview with Brent Huston as he answers a few questions about HoneyPoint Security Server, and HoneyPoint Agents.

In this installment, you’ll learn:

  • What HoneyPoint Agent is and its role in the suite
  • How information techs are using HoneyPoint
  • How can people use Agent with DNS and blacklisting, and why it’s significant
  • What HoneyPoint Decoy is and how it is utilized in an environment
  • The three different “flavors” of HoneyPoint Decoy

Click the link to listen or right-click to download it.

MicroSolved, Inc. Releases New Malware Protection for MS Windows

Our HoneyPoint Wasp 1.50 is cleaner, faster, and more flexible than ever!

COLUMBUS, Ohio March 14, 2011 — MicroSolved, Inc. is pleased to announce their new version of HoneyPoint Wasp 1.50. The new Wasp gives more capability to the security team to easily gain visibility into Windows systems and more power to their efforts to secure them against intrusion.

HoneyPoint Wasp, a tool used to monitor the security of user workstations, has been upgraded with several new features. New behavior-based detections are now included to help extend your existing AV investment. This will provide an extra layer of detection for malware that slips past the AV shield.

Wasp detects infections frequently missed by other malware tools in laboratory testing and real world environments.

“We’re proud of Wasp’s ability to identify compromised systems that other tools and techniques would have shown to be OK, leaving systems online and under attacker control for a longer period than needed,” said Brent Huston, CEO and Security Visionary for MicroSolved. “With HoneyPoint Wasp, you can more quickly and easily take compromised machines away from the attacker and significantly raise the bar in what they have to do to compromise your environment, avoid detection and steal your data.”

To learn more about HoneyPoint Wasp and how it can help an organization protect their desktop network, please visit our HoneyPoint Wasp page!

Touchdown Task #2: Detection: How Much Malware Do You Have? #security

Our last Touchdown task was “Identify and Remove All Network, System and Application Access that does not Require Secure Authentication Credentials or Mechanisms”. This time, it is “Detection”.

When we say “detection” we are talking about detecting attackers and malware on your network.

The best and least expensive method for detecting attackers on your network is system monitoring. This is also the most labor intensive method of detection. If you are a home user or just have a small network to manage, then this is not much of a problem. However, if your network has even a dozen servers and is complex at all, monitoring can become a daunting task. There are tools and techniques available to help in this task, though. There are log aggregators and parsers, for example. These tools take logging information from all of the entities on your system and combine them and/or perform primary analysis of system logs. But they do cost money, so on a large network some expense does creep in.

And then there are signature-based intruder detection, intruder prevention and anti-virus systems. Signature-based means that these systems work by recognizing the code patterns or “signatures” of malware types that have been seen before and are included in their databases. But there are problems with these systems. First, they have to be constantly updated with new malware patterns that emerge literally every day. Secondly, a truly new or “zero day” bit of Malware code goes unrecognized by these systems. Finally, with intruder detection and prevention systems, there are always lots of “false positives”. These systems typically produce so many “hits” that people get tired of monitoring them. And if you don’t go through their results and winnow out the grain from the chaff, they are pretty much useless.

Finally there are anomaly detection systems. Some of these are SEIM or security event and incident management systems. These systems can work very well, but they must be tuned to your network and can be difficult to implement. Another type of anomaly detection system uses “honey pots”. A honey pot is a fake system that sits on your network and appears to be real. An attacker “foot printing” your system or running an exploit cannot tell them from the real thing. Honey pots can emulate file servers, web servers, desk tops or any other system on your network. These are particularly effective because there are virtually no false positives associated with these systems. If someone is messing with a honey pot, you know you have an attacker! Which is exactly what our HoneyPoint Security Server does: identify real threats!

Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack. Give us a call if you’d like us to partner with you for intrusion detection!

3 Changes in Crimeware You Can Count On

Crimeware is becoming a significant threat to most organizations. The capability and dependence on crimeware as an attack model is growing. With that in mind, here are 3 things that the folks at MSI think you will see in the next year or two with crimeware:

1. Cross platform crimeware will grow. Attackers will continue to embrace the model of malware that runs everywhere. They will focus on developing tools capable of attacking systems regardless of operating system and will likely include mobile device platform capability as well. They have embraced modern development capabilities and will extend their performance even further in the coming years.

2. Specialized crimeware will continue to evolve. Organized criminals will continue to develop malware capable of focusing in on specific business processes, keying on specific types of data and attacking specific hardware that they know are used in areas they wish to compromise. Whether their targets are general data, ATM hardware, check scanners or the smart grid, the days of crimeware being confined to desktop user PCs are over. The new breed knows how ACH works, can alter firmware and is capable of deeper comprise of specific processes.

3. Crimeware will get better at displacing the attack timeline. Many folks consider malware to be symetric with time. That is, they see it as being operational continually across the event horizon of a security incident. However, this is not always true and attackers are likely to grow their capability in this area in the coming years. Modern malware will be very capable of making its initial compromise, then sitting and waiting to avoid detection or waiting for the right vulnerability/exploit to be discovered, etc. The attacks from the next generations will have a much longer tail and will come in a series of waves and lulls, making detection more difficult and extending the time window of control for the attackers.

MSI believes that organizations need to be aware of these threats and ideas. They must get better at detecting initial stage compromises and begin to focus on closing the window of opportunity attackers now have, once they get a foothold (in most cases days-months). Prevention is becoming increasingly difficult, and while it should not be abandoned, more resources should be shifted into developing the capability to detect incidents and respond to them.