Honeypots stick it to insider threats

One of the more popular benefits of setting up honeypots on your organization’s network is to learn about malware and hacker behavior, but I often recommend that companies install a low-interaction honeypot on internal networks to simply report anything that touches it. See, honeypots are fake assets. Nobody should access them. Thus, they often can be used for finding trusted insiders or partners doing things they were not authorized to do.

Case in point: Recently I installed a Kfsensor honeypot to try to rule out an external compromise against a longtime client. While fine-tuning the software to remove false positives, I saw tons of malicious activity, including port scanning, RDP connection attempts (to the honeypot computer), NetBIOS logons, and website identification attempts. The company owner happened to be right there as I investigated the source IP address and name.

[ Also on InfoWorld.com: Watch out for this nasty zero-day exploit | Get your systems up to snuff with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

The culprit turned out to be the trusted external computer-consulting company that my client had hired to install a new firewall on another floor. While hooked to the client’s network to install the firewall, the technician — coincidentally, I’ve known and trusted him for 20 years (he helped me get my first job) — was exploring the client’s network without authorization.

When confronted, he kept changing his story. First, he said he was trying to find an available free IP address to put the new firewall on. Then he claimed he was finding advertising services to make sure he opened all the necessary ports on the firewall. I wasn’t buying either.

Next story: He already had every elevated password in the company, so why would he need to port scan and enumerate the network — my question exactly. Then he mentioned he’d done similar things in other companies, including banks and financial companies, without complaint. Most likely, he hadn’t gotten complaints because he’d never been caught.

Catching this trusted, long-term acquaintance perpetrating unauthorized acts rocked me. I had recommended him to my client many years ago, and his dubious actions certainly reflected poorly on my judgment. Unfortunately for my friend, his activities and lack of communication about them led to his losing the account. Further, I won’t recommend him to future clients. Whether or not his deeds had malicious intent, we had to assume it did, and this is unfortunate all the way around.

None of this would have come about without a honeypot in place. Had his activities been recorded on a bunch of workstation firewall logs, more than likely they would have been lost in the messaging noise that accompanies most firewall logs. But honeypots, by their very nature, record every event (after the initial fine-tuning) that is suspect and potentially malicious.

If you don’t have honeypots installed at your organization, you should, and there are some good options out there. My favorite honeypot software is KFSensor from KeyFocus. It’s a commercial product that only works on Windows computers, but the maintainer is constantly updating and improving the product, whereas most honeypot products languish severely after the excitement of its new release dies down. KFSensor isn’t perfect, but it’s feature-rich and fairly easy to set up. It has hundreds of options and customizations, and it allows logging and alerting to a variety of databases and logs.

Honeyd is a flexible, free, open source, feature-rich honeypot software program, but it requires solid Linux and network skills to deploy and operate. Windows versions are available, but they aren’t kept as up-to-date as the non-Windows versions (which aren’t very current either); from my experience, they end up being more trouble than they’re worth. Still, if you have no money and a few days to explore and troubleshoot, Honeyd is probably a good place to start.

Me, I’ve given up on Honeyd and usually spend the money it takes to get Kfsensor. Or I go with an old, about-to-be-decommissioned computer or device to make a physical honeypot.

The Honeynet Project is the single best place for honeypot information and forensics. Its Honeywall CD-ROM image is a great, free, all-in-one honeynet software for users not scared of a little Linux configuration. It is menu driven, full of functionality, and easier to get up and running than a brand-new Honeyd install.

This story, “Honeypots stick it to insider threats,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.