“粘蜜罐”

蜜罐的基本知识

There are many applications 和 use cases for honeypots, as they work to divert malicious traffic away from important systems, get an early warning of a current attack before critical systems are hit, gather information about attackers 和 their methods. If the honeypots don’t actually contain confidential data 和 are well-monitored, you can get insight on attacker tools, 战术, procedures (TTPs) 和 gather forensic 和 legal evidence without putting the rest of your network at risk.

For a honeypot to work, the system should appear to be legitimate. It should run processes a production system is expected to run, contain seemingly important dummy files. The honeypot can be any system that has been set up with proper sniffing 和 logging capabilities. It’s also a good idea to place a honeypot behind your corporate firewall—not only does it provide important logging 和 alerting capabilities, but you can block outgoing traffic so that a compromised honeypot cannot be used to pivot toward other internal assets.

Research vs Production “粘蜜罐”

In terms of objectives, there are two types of honeypots: research 和 production honeypots. Research honeypots gather information about attacks 和 are used specifically for studying malicious behavior out in the wild. Looking at both your environment 和 the wider world, they gather information about 攻击者的趋势, 恶意软件菌株, 漏洞 that are actively being targeted by adversaries. This can inform your preventative defenses, patch prioritization, future investments.

生产“粘蜜罐”, 另一方面, are focused on identifying active compromise on your internal network 和 tricking the attacker. Information gathering is still a priority, as honeypots give you additional monitoring opportunities 和 fill in common detection gaps around 识别网络扫描 和 横向运动. 生产“粘蜜罐” sit with the rest of your production servers 和 run services that would typically run in your environment. Research honeypots tend to be more complex 和 store more types of data than production honeypots.

蜜罐的复杂度 

Within production 和 research honeypots, there are also differing tiers depending on the level of complexity your organization needs:

• 纯粹的蜜罐: This is a full-scale, completely production-mimicking system that runs on various servers. It contains “confidential” data 和 user information, is full of sensors. Though these can be complex 和 difficult to maintain, the information they provide is invaluable.
• High-interaction蜜罐: This is similar to a pure honeypot in that it runs a lot of services, but it is not as complex 和 does not hold as much data. High-interaction honeypots are not meant to mimic a full-scale production system, but they do run (or appear to run) all the services that a production system would run, including a proper operating system. This type of honeypot allows the deploying organization to see attacker behaviors 和 techniques. High-interaction honeypots are resource-intensive 和 come with maintenance challenges, but the findings can be worth the squeeze.
• Mid-interaction蜜罐: These emulate aspects of the application layer but do not have their own operating system. They work to stall or confuse attackers so that organizations have more time to figure out how to properly react to an attack.
• Low-interaction蜜罐: This type of honeypot is the most commonly deployed in a production environment. Low-interaction honeypots run a h和ful of services 和 serve as an early warning detection mechanism more than anything. They are easy to deploy 和 maintain, with many security teams deploying multiple honeypots across different segments of their network.

蜜罐的类型

Several honeypot technologies in use include the following: 

• 恶意软件“粘蜜罐”: These use known replication 和 攻击向量 检测恶意软件. 例如蜜罐(e.g.,鬼) have been crafted to emulate as a USB storage device. If a machine is infected by malware that spreads via USB, the honeypot will trick the malware to infect the emulated device.
• 垃圾邮件“粘蜜罐”: These are used to emulate open mail relays 和 open proxies. Spammers will test the open mail relay by sending themselves an email first. If they succeed, they then send out large quantities of spam. This type of honeypot can detect 和 recognize this test 和 successfully block the massive volume of spam that follows.
• 数据库蜜罐: 活动包括 SQL注入 can often go undetected by firewalls, so some organizations will use a database firewall, which can provide honeypot support to create decoy databases.
• 客户端“粘蜜罐”: Most honeypots are servers listening for connections. Client honeypots actively seek out malicious servers that attack clients, monitoring for suspicious 和 unexpected modifications to the honeypot. These systems generally run on virtualization technology 和 have a containment strategy to minimize risk to the research team.
• 蜜网: Rather than being a single system, a honeynet is a network that can consist of multiple honeypots. Honeynets aim to strategically track the methods 和 motives of an attacker while containing all inbound 和 outbound traffic. 

蜜罐的好处

“粘蜜罐” offer plenty of security benefits to organizations that choose to implement them, 包括以下内容:

They break the attacker kill chain 和 slow attackers down

As attackers move throughout your environment, they conduct reconnaissance, 扫描你的网络, seek misconfigured 和 vulnerable devices. 在这个阶段, they are likely to trip your honeypot, alerting you to investigate 和 contain attacker access. This allows you to respond before an attacker has the chance to successfully exfiltrate data from your environment. Malicious actors can also spend a significant amount of time trying to work on the honeypot instead of going after areas that have real data. Diverting their attack to a useless system wastes cycles 和 gives you early warning of an attack in progress.

They are straightforward 和 low-maintenance

Modern honeypots are not only easy to download 和 install, but can provide accurate alerts around dangerous misconfigurations 和 attacker behavior. 在某些情况下, your team might even forget that a honeypot was ever deployed until someone starts poking around your internal network. 不像 入侵检测系统, honeypots do not require known-bad attack signatures 和 fresh threat intel to be useful.

They help you test your incident response processes

“粘蜜罐” are a low-cost way to help you increase your security maturity, as they test whether your team knows what to do if a honeypot reveals unexpected activity. Can your team investigate the alert 和 take appropriate countermeasures?

“粘蜜罐” shouldn’t be your entire threat detection strategy, but they are another layer of security that can be helpful in discovering attacks early. They are one of the few methods available to security practitioners to study real-world malicious behavior 和 catch internal network compromise. Want to learn more about other types of tech that can boost your blue team defenses? 查看我们的网页 欺骗技术.

阅读更多关于蜜罐的信息

“粘蜜罐”: Latest 新闻 from the 博客