How the honeyBox®works

Straightforward principle: Virtual bait aims to attract and challenge hackers

The honeyBox® makes a wide range of virtual honeypots available. The security notifications of honeyBox® are gathered centrally and the administrator is notified. The notifications in the browser can be evaluated according to differing criteria via a secure HTTPS connection. This makes the possibility of a targeted drill-down available. The notifications can also be forwarded to third party systems (e.g. via syslog).

Functions and attributes of honeyBox®

The honeypot appliance can be operated as a stand-alone solution. Alarm notifications are gathered in the central repository at the same time and evaluated in the browser via a secure HTTPS connection. With larger-scale installations, the management server function should be realised by a dedicated system on the basis of a high-performance server. This then works together with the sensors. Evaluation according to a variety of criteria is possible. This enables the completion of a targeted drill-down.

Further information about the operating principle of the honeyBox® is available here.

Recent examples of use for the honeyBox®

The honeyBox®in use against APT

An APT (advanced persistent threat) is the name given to a targeted attack that is carried out by experienced hackers to large-scale networks or systems and the associated theft of data or manipulation of systems over an extended time frame.

Hackers of this kind take a targeted and long term approach to their attacks, which are also configured on a sophisticated basis, making them hard to detect. According to the BSI, research suggests that it can take an average of 87 to 229 days for an attack to be discovered, and in extreme cases, 2 to 3 years.

Using the honeyBox® can prevent such a scenario. The honeyBox® is capable of revealing and reporting these attacks. In this context, unwanted visitors are attracted to a virtual trap and an alarm is raised.

Where the use of the honeyBox® is required

A monitoring of your LAN with IDS/IPS is insufficient

Companies require reliable data about the security status of their network. With IDS/IPS, this cannot, on the whole, be achieved. In contrast to this, with honeypots it is, on the whole, possible to detect cases of unauthorised access.

Situation: You do not use comprehensive monitoring in your LAN. Attacks to your internal systems can, however, cause considerable damage.

Implementation: with the use of the honeypot appliances, you rapidly gain a solution which can be used in order to detect internal attacks to your LAN. This makes changes to the network structure unnecessary.

The result: through the detection and possible logging of attacks, you receive up-to-date notification on whether hackers are active in your network. If required, you can introduce steps so as to contain and analyse the attack.

The IPS can suffer from gaps which hackers make a point of exploiting. In most cases, honeypots that have been installed are the last wall of defence.

What happens, however, if the hacker has already overcome or circumvented the IPS? In such cases, most networks are then defenceless. Honeypots can be of noteworthy benefit here because they are typically positioned internally in great number.

A honeypot offers typical services and links several IP addresses without causing any performance problems. Sometimes, the simple notification that a certain system has made an attempt to connect is sufficient. The disadvantage, however, is that the only attacks to be registered are those that directly address a honeypot. In this respect, the honeypot detects malware or automated attacks rapidly, while it is possible that a hacker who works on a targeted basis with insider information may not be detected.

The history and origin of honeypots

The origin of the honeypot idea

The basic idea that led to the development of the honeypot technology was the notion of setting virtual traps for hackers in IT networks.

Nobody knows for certain when honeypot technology first started to be used in the world of IT. However, Clifford Stoll has described how he resolved an attempt to gain unauthorised access to the data of the Lawrence Berkeley National Laboratory in August 1986 with the use of fake data. With the use of fake data, the hacker was coaxed into staying online until it was possible to trace their telephone number.

How much honeypot does the honeyBox®contain?

The honeyBox® provides the option of making a large number of virtual honeypots available. Depending on the model, 250 to 40,000 honeypots are possible on one device. In this respect, the virtual honeypots are rolled out as bait in almost every network segment. Due to the high scalability of the honeyBox® this is also relatively easy in large-scale networks. During their manual or automatic exploration of the network, intruders come across virtual honeypots in the LAN which appear to have a poorer level of security than the other systems. During the initial contact, the alarm is raised in a variety of different ways. The notifications can also be integrated into superordinate IT security systems.

FAQ: Frequently asked questions on the honeyBox®

Question: What is the different between high and low interaction honeypots?

Answer: High interaction honeypots offer the hacker a system which is as complete as possible with all of the services and potential target areas. These also include complete websites, for example. High-interaction honeypots are generally fully installed servers. In this case, virtualisation is avoided because hackers are able to detect it.

Low-interaction honeypots only offer the façade of a service in order to attract hackers. As soon as the hacker has connected with the service, the trap closes and the work of the low-interaction honeypot is done. Emulated services which are of a rudimentary nature are also significantly less susceptible to gaps in security.

Our honeyBox® works with low-interaction honeypots, a few hundred to several  thousand of which can be made available in the network per appliance.

Question: Isn’t a hacker able to detect a honeypot and avoid it straight away?

Answer: In our experience, they do so very rarely, and if so, not quickly enough.

In all of the internal penetration tests (DMZs and LAN) which we have carried out at customers, when honeypots have been used, our hacking attempts have always been discovered. Without the use of honeypots, however, our hacking attempts have gone undetected, although firewalls and IDS/IPS were in use. Those who have attended our hacking courses have also tried to access the honeypots for extended periods of time without realising that they were just façades.

Question: Do the virtual honeypots on the honeypot appliance not put the appliance itself at risk?

Answer: Any service can be attacked in some way or another.

On the appliance, in the architecture that we recommend, management and honeypot interfaces are separate. The appliance is also protected very well by both the local firewall and additional security mechanisms.

Question: Can I use the honeypot appliance so that the interfaces can be connected in different security zones where they can offer virtual honeypots?

Answer: That depends on your security policy.

If it permits a configuration of this kind, the honeypot appliance offers sufficient security mechanisms so as to prevent it from becoming a short circuit bridge between different zones due to a hacker.

Question: Can I connect the management interface in the same network as one of the honeypot interfaces?

Answer: This is not technically possible, but if you are unable to use your own management network and the management interface were to be located in the same network as the network in which the honeypots are to be made available, then the management interface becomes additional to a honeypot interface. In this configuration, we describe the operation of the management interface as a shared honeypot, in contrast to a dedicated honeypot in the case of straightforward honeypot interfaces.

To ensure that the security is kept as high as possible, the management interface should be connected to a network which is separate from a normal LAN (as is the case with other security systems).

Question: Can the honeyBox® honeypot appliance be administered securely on a remote basis?

Answer: Yes. It can be administered via SSH and HTTPS.

The IP addresses can be restricted in the local firewall. In addition to this, the serial port can be used for an out of band management.