Home / Blog / Detection, analysis and display of attacks using Honeypots

Detection, analysis and display of attacks using Honeypots

Posted on 03/31/2015, by Francisco J. Rodríguez (INCIBE)
Detection, analysis and display

Thanks to the use of honeypots and the analysis of the data they generate we can scope the magnitude of the problem we face, obtaining valuable data regarding:

  • Attack tendencies.
  • Exploited vulnerabilities.
  • Services that are intended on being compromised.
  • Most active countries in cyberattacks.
  • Malware samples unidentified by antivirus engines.
  • Techniques used by attackers.
  • Malware distributors.
  • Systems belonging to Botnets.
  • Command and Control Centers (C&C).

There are currently a multitude of free tools that can help in the deployment of honeypots for this type of investigations or, with the right knowledge, even developing personalized software. Some of these tools are used from console commands, and the logs they generate have to be analysed and interpreted to understand what is happening. Others possess a graphical environment from which the obtained data can be viewed.

In order to take a further step in the investigation, the following can be used:

A global viewer that enables determining what is occurring in the exposed systems has been developed to view the state of the information provided by the honeypots and all the deployed components in a simple and centralized fashion. Thanks to the correlation of all the events produced, this viewer displays information in real time about the attacks that are occurring and generates notifications in case they are needed. It also enables viewing malicious actions that don’t set off any of the established alarms but are considered to be interesting and require a subsequent study.

  • Different types of honeypots that cover different types of exposed services (high, medium and low interaction with the attacker).
  • High interaction honeypots (real systems) that help us to investigate the attacks in greater depth and also perform a forensic analysis of the attacked system.
  • Intrusion Detection Systems (IDS), in order to determine what attack is being performed, as long as there is an IDS signature that identifies it.
  • Web application firewalls (WAF) in web servers to determine and identify attacks against web services.
  • Reputation lists (public and private) to verify the attacking IPs against lists that are acknowledged by other entities.
  • Antivirus engines to analyze the obtained samples.
  • Static and dynamic analyses of samples deposited in the honeypots.
  • Correlation of events.

Several types of attacks that the interested parties have been notified about have been detected thanks to this system. Out of these attacks, the following stand out:

  • Denial-of-service attacks using fake IPs (spoofing) belonging to an American supplier against different web services.

Denial of service attack detection

I- Denial of service attack detection -

  • Use of the services of an important foreign ASN to perform SSH attacks to compromise vulnerable servers and use them as proxy to obtain benefits through Pay-Per-Click advertising.

Compromised servers through SSH acting as proxies in pay-per-click campaign

- Compromised servers through SSH acting as proxies in pay-per-click campaign -

Using HONEYSTATION, real time information of the following is obtained:

  • Attack origin
  • Name of the ASN
  • IP address of the attacker
  • Attacked port
  • Number of attack attempts
  • Verification of public and private reputation lists
  • Verification of reputation lists generated by the honeypots
  • Verification of intruders’ identification systems
  • Verification of WAFs
  • Attack tendencies

It doesn’t only monitor classic ports such as 21,22, 23,445, 3389 0 5900, but also the whole range of TCP/UDP ports with the aim of identifying attractive ports/services for attackers and studying the activities performed in the port.

Through the correlation of events, the value of all the data acquired by the honeypots is obtained and that of the data that we already have in our systems, enabling the departments that are responsible for managing them to create notifications.

HONEYSTATION allows 3 types of visits:

  • Honeypot State Visit:
  • <7ul> shows the current state of the Honeypot in a hierarchical form (Country - ASN - IP - Port - Honeypot). The system enables creating filters for any field and displaying only the information we are interested in. It enables viewing rankings for countries, ports and attacking ASNs, as well as potential attackers and, if there is sufficient information, the type of attack executed or the classification of the attacking IP address when it is checked with the available data.

     

    Customized views to show specific information

    - Customized views to show specific information -

    • Geolocation view per country and attack level: shows the origin of attacks on the Honeypot, informing about the number of registered attacks and the intensity of the attack from a specific country. It also gives a simple view of the State of the Honeypot.

     

    Global Geolocation of attackers

    - Global Geolocation of attackers -

     

  • Precise Geolocation view: enables determining the geolocation of the attacker in a more precise manner, normally identifying the region, province or city.

     

     

    Geolocation detailed view

    - Geolocation detailed view -

    Following is a video demonstrating how HONEYSTATION works:

    HONEYSTATION is a concept test developed by F.J. Rodriguez for INCIBE, with collaborations from Emilio Grande and Ángel González Berdasco.