In order to overcome the adversary, we must first seek to understand. By understanding how attackers operate, and what today’s modern network looks like from an attacker’s perspective, it’s possible to deceive an attacker, or at least have warning around internal network compromise. Today, let’s touch on a classic deception technology that continues to evolve: the honeypot.
Honeypots are decoy systems, deployed alongside production systems with the intent of tricking attackers into interacting with them. By deceiving an attacker into carrying out his/her attack on a non-critical, well-monitored system, valuable insight can be gained into their attack methods, and information can be gathered for forensic or legal purposes.
Setting up a honeypot can help you:
- Divert attackers
- Detect malicious traffic
- Receive early warning of attack
Deception technology, including honeypots, come ready to use out of the box in InsightIDR, Rapid7’s threat detection and incident response solution. This blog post will focus on setting up and testing a low-interaction honeypot in InsightIDR. To learn more about honeypots, check out our “Introduction to Honeypots” blog post.
Honeypots should mimic production systems in order to provide value as a true deception technology. InsightIDR’s honeypot is downloaded as an OVF file and requires the following specifications:
- 1 CPU
- 1GB RAM
- 10GB Disk Space
How to Deploy a Honeypot in InsightIDR
Download the Honeypot
- From the InsightIDR homepage, navigate to the top right, “Click to Setup” under “Honeypots”:
- Click “Download Honeypot” from the top right corner of the page:
- Launch the virtual machine using the honeypot-collector.ovf file downloaded from InsightIDR.
Set Up the Honeypot
In order for the honeypot to work effectively, set up the honeypot with a naming convention that matches your environment. Please be sure to use the Fully Qualified Domain Name (FQDN).
Things to consider before setting up a honeypot include:
- Are you going to use a static IP address?
- Do you have a static DNS server?
- Do you have a proxy?
Below are the steps to follow to set up and activate a honeypot:
- Choose a hostname.
- Identify if the IP address is static, if there is a static DNS server, or an applicable proxy server.
- You should now see an agent key in the honeypot.
- Enter the agent key into InsightIDR, and click Activate.
Test the Honeypot
Now that the honeypot is set up, here is how we can test it. (Note: An alert should trigger when you test the honeypot.)
- Initiate nmap to simulate internal network reconnaissance on your network.
If deployment is successful, a “Honeypot Access” alert will appear in Investigations:
Permit Vulnerability Scanners
If you perform regular vulnerability scans, chances are you don’t want to receive those alerts every time. You can permit the vulnerability scanner by selecting “Close” on the alert, then by selecting “Ignore honeypot connection attempts from this asset.”
Not yet an InsightIDR user? If you’re still reeling from a previously failed SIEM deployment, InsightIDR has abstracted out all of the pain points of traditional SIEM tools (like buying and managing hardware, poor UX, and writing and tuning detection rules). Even more, it’s a cinch to deploy, as InsightIDR does all the heavy lifting and all that’s required from you is a few clicks of a button to be off the ground running. Sign up for a free trial to get up and running with InsightIDR.
For more on how deception technology works in InsightIDR, check out our blog post on honey users.