How intrusion detection honeypots work so well

Intrusion detection honeypots are just plain cool. They’re incredibly simple to run and give you extremely accurate alerts about intruders in your systems.

A honeypot can be as simple as a fake server inside your network that alerts if anyone connects to it. There’s no reason to intentionally connect to this bogus server, so any attempts are probably an attacker already inside your network.

Unfortunately, that’s about as far as most people get with them. It’s a shame that so often honeypots get written off as just a novelty-no more than a neat trick to catch pentesters. Most people miss the point behind honeypots.

In fact, honeypots just scrape the surface of a really powerful detection tactic-the “this should never happen” alert.

Mapping out the usage patterns

There are many ways to do threat modelling but here we’re going to think about usage patterns: the different things users can do and how likely they are to do them. Taking the example of an SSH server, you might end up with something like this:

Along the x-axis we’ve put the various interactions someone might have with the server. On the y-axis there’s how often we expect to see that behaviour. It’s a bit of a stretch to draw this as a line graph-there’s no real relation between adjacent points-but it’s a useful mental picture.

But, let’s keep things even simpler and focus on how three specific features get used:

  • Public-key auth. All of our users should be logging in with SSH keys. On the other hand, if an attacker is able to steal an SSH key they’re also likely to use it.
  • Password auth. We don’t expect a real user to try passwords-none of them have password authentication enabled. But, an attacker will probably try some default or phished passwords.
  • Port-forwarding. Both our real users and attackers are likely to use this.

If you’re tasked with detecting malicious use of this SSH server, where do you start?

Your instinct might be to start with alerting on events that could actually cause damage. Logging in with a stolen SSH key, or using port-forwarding to spread laterally both get an attacker closer to their goals. Makes sense you’d want to detect this.

But, trying to build good alerts is going to be tough-these are the things our real users are most likely to do too.

Detecting just the bad SSH logins without flagging lots of real user logins is going to be tough. Here be machine learning dragons!

Why not start with alerting on failed password authentication attempts instead? Failed password attempts are fairly harmless, so it’s natural to ignore them, but there’s a lot going in their favour:

  • You don’t need to care about false positives-real users should always be using an SSH key.
  • An attacker is pretty likely to try using a default or phished password to login.
  • It’s dead simple to alert on. We don’t even have to look at the details of the log event, just its existence is cause for alarm.

The fact that a real user should never cause a failed password login event is exactly why its useful. Anyone that fails a password login is probably an intruder bumbling around not realising that everyone uses SSH keys.

I think this is the first tactic to learn from honeypots:

It’s hard to spot an attacker in a sea of real users. Instead, detect the things that only an attacker would do.

Honeypots manipulate usage patterns

Unfortunately, we’re limited by the usage pattern of our real users, and it doesn’t look like there’s any more natural “this should never happen” opportunities in our SSH server.

This is where we could deploy a honeypot. Rather than opportunistically looking for “this should never happen” situations in actual systems, honeypots just create their own. They let us conjure systems that real users never use but where an attacker is likely to go poking around.

We can alert on almost any activity from an SSH honeypot. Because the honeypot serves no use, we never expect a real user to login, and certainly don’t expect any port-forwarding. Apart from an occasional health-check, any events we see coming out of this server are worth investigating.

But, on it’s own, a system without any user activity isn’t interesting-it’s easy to deploy a useless server that no one ever interacts with. A honeypot’s trick is to be useless while still making an attacker think it’s a useful. The more important it seems, the more likely an attacker wants to go explore it.

By using deception, the honeypot has a completely different malicious usage pattern from its expected usage pattern. This difference gives us maximum opportunity to write “this should never happen” alerts.

This then is the other tactic to learn from honeypots:

Usage patterns are flexible — by employing deception, you can shape them to create opportunities for high quality alerts.

So… just deploy honeypots everywhere then?

Why just deploy a honeypot SSH server when you could apply honeypot tactics to all your real SSH servers too?

Originally published at https://bradleyjkemp.dev on December 8, 2020.

Security engineer by day (and often by night too…) This blog is where I try to share my mental models about security that I find useful.