honeypot, detection, deception

Deploying a Honeypot in Under 5 Minutes

Detecting the bad guys through deception

Recently, I've been digging into Honeypot's after finishing Chris Sanders new book Intrusion Detection Honeypots: Detection through Deception (a book which I HIGHLY recommend btw) and I thought I'd post a quick how-to guide on how to deploy one of my favorite Open Source Honeypot's from the founders of Thinkst Canary. I am a huge fan of these as they are free, provide high fidelity detection of malicious acitivity, and dead simple to deploy.

What are Honeypots?

I find Wikipedia sums it up fairly well:

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and enables blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

In English - it's something that is meant to trick cyber criminals into interacting with it. Once they interact with it, an alert is generated.

With this in mind, we'll want to try and deploy our Honeypots in a way that will be attractive to attackers.

Step 0: Planning

As with all things security, you should have a use case or reason for what it is that you're doing. My specific use case was to identify if an unauthorized user was attempting to view/access sensitive data contained in a folder on a Windows server.

One way I can do this for free and in a way that will only take a few minutes to setup was through the use of a Honeypot. CanaryTokens offer a free and easy to deploy a fake windows folder, that should someone open, will trigger an email alert.

Step 1: Creating the Token

Navigate to https://canarytokens.org/generate and fill out the form as seen below. Be sure to put a helpful note so that you can remember where the token was deployed, especially if deploying multiple tokens.

Canary Token

Step 2: Download and Unzip the .zip File

Next, press Download your Zip file and extract it into your existing folder. This will drop a folder entitled My Documents which contains the file desktop.ini.

Token Generation

This .ini file is what triggers the alert in question. How does this work? From the documentation:

Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a token as our iconfile.

If you're concerned about what data is sent to Thinkst Canary (canarytokens.org) here are the contents of the .ini file:

[.ShellClassInfo]
IconResource=\\%USERNAME%.%COMPUTERNAME%.%USERDOMAIN%.INI.randomly-generated-token-id.canarytokens.com\resource.dll

In English this means:

  • The username of the user opening the directory containing the desktop.ini file
  • The hostname of the system opening the directory containing the desktop.ini file
  • The name of your organization's Domain
  • The Source IP of the referring DNS server and typically NOT of the user that has opened the directory containing the desktop.ini file. (Because this token utilizes DNS to trigger, it is only able to gather the Source IP of the system querying the nameserver for canarytokens.org. This should be kept in mind when looking at the source IP included in the canary alert.)

Step 3: Deploy the Honeypot!

Place the desktop.ini file in any folder that you wish to be alerted on and that's it! Anytime any user opens the folder that contains the desktop.ini file, you'll receive an email alert for you to start your investigation as seen below:

Token Alert

And if you click through to More info on this token it'll take you to a dashboard that will show you a history of activity for the token in question:

Token Dashboard

Conclusion

Honeypots are great and are definitely something that organizations should work to incorporate within their environment for an easy, high fidelity way, to detect even the most advanced attackers.

Find a technical error in a blog post?

Contact me on twitter @signalblur

Author image

About David Burkett

David is currently the Lead Cloud Threat Detection Engineer @ at Fortune 50 org. Formerly SOC Manager for a Managed Security Services Provider & Threat Intelligence Manager a separate MDR provider.
You've successfully subscribed to signalblur
Great! Next, complete checkout for full access to signalblur
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.
Mastodon