How to catch threats, globally ?
Previously we saw the benefits of using a Honeypot to improve your cybersecurity with CTI (part. 1). Now we will see how, in practical terms, it is possible to set up an infrastructure at a global level.
But why on a global level? Well, depending on the continent, country or territory, cyber-threats are different. For example, attacks on Hong Kong servers and Canadians will not have the same source, objectives and means.
The problem we face as a SOC with customers all over the world is the heterogeneity of cyber-threats. However, we must provide the same level of security to all our customers, wherever they are.
One solution is to install Honeypots all around the globe. In theory it is simple, in practice it is more complicated.
Indeed, it is necessary to be able to manage all honeypots at a central point. It also implies the ability to deploy and/or move honeypots at any time and place. And that is without mentioning data collection and correlation.
All this must be based on a highly secure and hermetic infrastructure. Which is able to dissociate management and attack flows.
To respond to this last question, we have design a dual network with a firewall. Where the management network (and services) is accessible only from registered IP and with an authentication (different for each honeypot).
The other network is totally open, as it had to receive attacks.
Also, to avoid potential evasion, collection of data are made only from manager to worker. This means that honeypot doesn’t send data to our manager node. It’s the manager that pull data. Even if it access to the management of the honeypot, it’s actions will be limited. It will only cause trouble to the honeypot on which it’s connected.
Now, it comes to the life-cycle of honeypots. How reset, start, stop and deploy them ? Cloud Provider. In 2019, public cloud is everywhere. Why not use it ?
To work with that, we have build an agnostic cloud system manager. It’s able to build a new instance on any cloud provider (thanks to their API) based on our custom Honeypot image (a T-POT fork).
This allow us to deploy a new honeypot where and when we want in less than 10 minutes. Thanks to a worldmap-based management interface.
But where deploy them ? To test, we have deployed only 3 honeypots on America, Asia and Europe during one month.
First results have shown that there was more than 500 000 attacks per Honeypot per day. By aggregating the 3 Honeypots data, we were able to extract country-based behaviors. And so, categorize indicators by location.
Although, there were about 90% of massive scan, the other part was the most interesting, as it targets new vulnerabities (e.g. BlueKeep) . This allowed us to analyze more in-depth the techniques and means used.
Those informations are already included in our new analysis engines, and allows us to improve Cybersecurity of our customers and of the community through our public feeds.