Honeypots can be a great tool to use within your environment to gain visibility into active threats or curious insiders that could introduce risk to an environment.
By placing honeypots at various locations around your environment, e.g., your workstation and server subnets, you can quickly determine if a threat is poking at hosts to find new avenues for access.
The current version of the Blumira honeypot deploys a fake DiskStation NAS into a container on your Sensor via the Module selection screen.
It should also be noted that you should select the logger module as well – latest version being 1.1.0 at the time of writing this – to ensure that honeypot actions are logged appropriately to your host. At the end of your honeypot setup, you should have two modules, the honeypot module and the logger module. Your sensor page should look similar to the following:
At this point, your honeypot has been successfully set up and the host should be listening on the identified honeypot ports above, 8080, 21, and 8022 at times, although the first two are the main focus. These ports were chosen as they do not conflict with host access, port 22 or syslog collection, port 514. The honeypot module can technically be used for log collection as well, however, this will likely change somewhat in the future as a more behavior-focused honeypot version is rolled out.
While the initial version of the Blumira Honeypot is limited, it presents enough functionality to catch most attackers who are not rather advanced and especially insiders who are poking around.
Below is the fake port 8080 DiskStation login page that is deployed with the current Blumira Honeypot. This is of course, a fake site that is impossible to actually authenticate into or take data from.
When a user attempts to authenticate and fails, they are presented with the normal DiskStation alert that the authentication failed. At the same time, a log entry is created and passed through the logging module and up to the Blumira platform for validation of threat.
In an effort to catch users who are scanning and attempting to authenticate to weak protocols, the Blumira Honeypot exposes FTP to the network, which appears as ProFTPD to the network.
When an authentication attempt occurs, or a scan occurs, the honeypot will capture the event and pass the event log to the logging module and then to the Blumira platform for threat validation.
Once you have the Honeypot module successfully installed, you may want to consider testing it out to verify that it is functioning. The easiest way to do this is to browse to the sensor IP via HTTP (Example: http://192.168.1.82). You should be presented with the DiskStation login page as shown in the screenshot above.
From there, you can test logging into the login page which should trigger a Blumira finding automatically. This is a fake login so a valid set of credentials does not exist for this “DiskStation”.
Additionally, you can attempt an FTP connection to the honeypot using the sensor IP over port 21 or 8022. A login attempt will also trigger a Blumira finding.
Looking into the future for the Blumira Honeypot, we will be focusing largely on behavior, customization of honeytokens, and deployment of actual files to determine when they’re opened by an attacker and where.
Blumira is excited to get more feedback, if you have any other ideas, reach out and tell us what you’d like!