Call 805-964-3235 or Email info@phase3.net

How to Create a Honeypot to Catch a Hacker

Honeypots are red herrings of the hacking world. They distract a hacker, allow network administrators to review activities, strengthen software security, and ultimately protect the network from critical breaches. Honeypots are valuable tools, but they’re usually implemented on big networks. Small companies can also benefit from a honeypot, but they usually haven’t heard of them or don’t know how to set one up. Here is how you can create your own.

What is a Honeypot and How Does It Help Me?

A honeypot masquerades as a real server. It’s placed on a section of the network that is open to the public. This section is called the demilitarized zone or DMZ. The DMZ is external to the internal network but usually behind a router connected directly to the Internet. The DMZ is considered partially secure, so it’s a good place for a honeypot.

When a hacker finds the honeypot, he’ll likely focus on it instead of diving deeper into the internal network. Essentially, the honeypot protects the internal network through distraction.

Honeypots are also used in computer forensics. Security companies use honeypots to track hacker access, events, and any suspicious traffic. They help security teams better understand issues and what can be done to fix them. The benefit is stronger security for both hardware and software.

For a small business, the better use for a honeypot is network protection. They can defend against hackers and help business owners patch any security issues before they become dangerous to users.

Step 1: Set Up Your Honeypot Environment

This article focuses on Windows servers, but honeypots are also useful in Linux environments. The advantage of Linux is that there are a few free honeypot platforms available that take care of much of the configurations.

You don’t want the hacker to gain access to the entire physical server, so you should set up a virtual machine. Windows Server 2012 comes with Hyper-V, which lets you create numerous virtual machines and manage them from one server. If you have an older Windows server operating system, Microsoft also offers Virtual PC to manage virtual machines.

If you decide to use the physical server as a dedicated honeypot, ensure that you take the right security steps. Don’t use an administrator account that has access to critical systems on the internal network. Use different passwords than main account passwords. Don’t store any critical data on the machine. Store dummy data that looks legitimate but doesn’t point to any real customer information. Don’t join the server to the internal network domain. In other words, your honeypot should be an island on its own and not a part of the internal network environment.

Step 2: Set Up Logging

What you log is determined by what you install on the server. If you just want to log login attempts, Windows Event Viewer is sufficient. However, if you want to create a honeypot with proprietary software installed, you need to log any application events. You should also log file access attempts.

Windows 2012 lets you set up shadow copy services. Windows shadow copy services are a form of versioning. When changes are made to a file, you can still access previous versions. It’s meant to restore files in case of an emergency, but you can also use it to identify what changes are made to files. Shadow copies might give you clues to the hacker’s intent.

One issue with logging is that the hacker can clear logs. You should attempt to move logs after the honeypot is breached, but it’s not a guarantee that they won’t be altered. Another option is to set up alternative logging. For instance, ELMAH is a logging tool for Windows applications. The hacker knows that the operating system is logging events, but he might not think to look for alternative logging methods.

One way to preserve logs is to write events to a DVD-RW drive. You also need a network traffic analyzer and monitoring tool to detect and capture the hacker’s packets. One of the most popular and useful tools on the market is Wireshark. It’s also free, which makes it perfect for a business on a tight budget.

Step 3: Configure the Firewall

All traffic routed to the honeypot should only go to the honeypot and not the internal network. If you accidentally open a port on the router that allows traffic to the internal network, you’ve just exposed your internal resources.

The goal with this step is to open the ports necessary to access the honeypot but nowhere else on your internal network. Be very selective with ports, and ask a colleague or security consultant to review the setup. The honeypot should direct any traffic to the open network and never to internal systems.

One setup you don’t want to use is opening all ports on the honeypot. Remember that the hacker can’t know that he’s on a honeypot and not a critical server. When your honeypot has all ports open, it becomes suspicious. Don’t make it obvious that the server has no security configured. Hackers know that a company has some type of security set up and will avoid any system that’s “too good to be true.”

Step 4: Perform Your Own Testing

There are numerous port scanners and penetration testing tools. One popular tool is nmap. Nmap is a port scanning tool that shows open ports on a system. You can use it to perform a quick test of your setup. The hacker will likely perform a scan on common ports, so you should do the same.

After the port scan, view your server logs, review events, and identify if anything didn’t properly monitor or log. If you have any intrusion detection software (IDS), it could block certain activity such as a port scan. To make the honeypot more believable, you can lower security settings in your IDS.

After you set up and test a honeypot, you’re ready to put it into production. You should monitor it closely for several weeks when it’s first released.

Honeypots are a fun and protective way to security your network. You don’t need to report the hacker when he accesses your honeypot, but you can learn from it. It’s a great, safe way to learn the security holes in your product or network environment.