They say you can catch more bees with honey than vinegar.
On the web, that bee is someone hacking through the layers of the web itself. The honey is the vulnerability of poorly secured websites and servers. When lucky, the hacker finds a way to get to the data and can harvest it for his or her own benefit. But sometimes, he falls prey to a facade that looks and acts like unsecured data but is actually a trap.
This is (essentially) a honeypot.
At its core, a honeypot is a server that uses exposed vulnerabilities to attract malicious hackers. The data kept on the server is either unimportant or non-existant – but the trap is real. When a hacker enters the server, the malware they use is captured, analyzed, and recorded. Honeypots capture data by utilizing intrusion detection systems, such as Snort, in combination with strategically open vulnerabilities. Often times, the honeypot will mimic a server that was recently publicized for being breached. The data is then analyzed to determine the attacker’s intent. Those watching the pot use this information to create signatures based on the attack, matching them with currently known exploits or zero-day attempts.
For the past year, I’ve been tracking the latest attacks through a growing number of honeypots on my honeypot farm, h8ck3d.com. The farm started as a single honeypot, collecting a few attacks each week. Now it’s collecting as many as a thousand unique attacks daily. Each attack is contained, analyzed, geo-located, and categorized by CVE or product. As a researcher, you can log in and see real-time attacks from around the globe attempting to exploit known CVEs. This information is freely available, in real-time, for white hats through an interactive map and REST API.
I’ve been intensly interested in the harvesting of my honeypot farm, as it gives me a unique perspective when handling CVEs for clients at Risk I/O. With the seemingly endless number of breaches happening at the enterprise level, I’m hoping that the prevelance of measures like my farm can help protect the net. The more attackers who unknowingly share their malware with a honeypot before they hit a ‘real’ server, the quicker we can analyze and protect those at risk. Catching hackers with a little bit of sweetness. Like bees to honey.
David Hunt is a senior software engineer for Risk I/O. He has focused most of his work in the areas of agriculture and defense, with cyber security as an overarching theme in his work. His honeypot farm can be found at h8ck3d.com.