Detecting unknown threats: a honeypot how-to
2021-06-28 20:15:03 Author: securelist.com(查看原文) 阅读量:100 收藏

Security technologies

Security technologies

minute read

Catching threats is tricky business, especially in today’s threat landscape. To tackle this problem, for many years сybersecurity researchers have been using honeypots – a well-known deception technique in the industry. Dan Demeter, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team and head of Kaspersky’s honeypot project, explains what honeypots are, why they are recommended for dealing with external threats, and how you can set up your own simple SSH-honeypot. This post offers a condensed version of his presentation alongside the video, which you can view below.

What are honeypots?

A honeypot is a special piece of software that emulates a vulnerable device. Those devices can be from a wide variety of types, such as smart light bulbs, home security DVRs, fridges, microwaves, etc. Deployed publicly on the Internet, honeypots mimick real devices, and, in essence, function like traps for the attackers targeting such devices. Sometimes honeypots also allow defenders to attract and identify new, previously unknown attacks and exploits.

Who needs to set up honeypots? Why?

To protect an organization and its network, the IT security department usually deploys a variety of protection mechanisms, such as EDR, firewall rules or security policies. However, from our experience, these mechanisms might not be enough. Even before they shifted to remote work, organizations had used many vulnerable devices exposed to the Internet that they did not know about. With the shift to remote work, the number of remote stations has increased, and so has the number of exposed network devices, making corporate networks even more vulnerable. Honeypots help strengthening corporate defense system – being planted in key parts of the network they serve as decoys to register external attacks, and capture the threats that were used. This provides an opportunity to further analyze an attack against an organization and learn how to fend it off.

What is Kaspersky’s honeypot project and how can organizations participate?

Honeypot systems require high visibility: the higher – the better, as that helps to cover a wider attack surface. That’s why it is important to collaborate with ISPs, security service vendors or research groups on the Internet to detect new attacks. Kaspersky is continuously improves and strengthens its partnerships with various research groups and ISPs around the world to enhance detection capabilities. Kaspersky offers Honeypots-as-a-Service: we provide the entire infrastructure, our partners only needing to set up and deploy honeypot nodes in their networks. These are connected together and to our honeypot infrastructure. Kaspersky monitors them, analyzes, and aggregates the data, identifies the attacks, and offers its partners statistics (such as most common usernames and passwords used, attacker IPs, types of attacks, etc.), as well as any other artefacts that might be of interest to them. To join Kaspersky’s honeypot project, email to [email protected].

To learn how to set up an SSH-honeypot to deal with attackers who are seeking to bruteforce your logins and passwords, watch the full video with Dan Demeter, where he answers basic questions about honeypots.

Reports

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

We detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.


文章来源: https://securelist.com/detecting-unknown-threats-a-honeypot-how-to/102990/
如有侵权请联系:admin#unsafe.sh