Link Search Menu Expand Document

Vidara Honeynet Instnace

Table of contents

Introduction

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site and contain information or resources of value to attackers. It is isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as “baiting” a suspect.

Wortell has developed its own Honeypot Network called Vidara HoneyNet. Honeypots in this network collect threat intelligence that is used in our security use cases and detections. Threat Intelligence collected by this network is generic and not sector or customer specific. With Vidara HoneyNet Instance, Wortell will deploy an instance of our Honeypot nodes in the customer network. Doing so allows us to collect customer and sector specific threat intelligence. This threat intelligence will get used in detections and use cases.

Honeypots

The Vidara HoneyNet instance contains a wide variety of Honeypots

Honeypot Description
Adbhoney Low interaction honeypot designed for Android Debug Bridge over TCP/IP
Ciscoasa A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability
Citrixhoneypot Detect and log CVE-2019-19781 scan and exploitation attempts
Conpot A low interactive server side Industrial Control Systems honeypot
Cowrie Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Ddospot DDoSPot is a honeypot “platform” for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
Dicompot Dicompot is a fully functional DICOM server with a twist
Dionaea Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, the ultimate goal is gaining a copy of the malware.
Elasticpot Honeypot simulating a vulnerable Elasticsearch server opened to the Internet
Endlessh Endlessh is an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time.
Glutton Glutton provide SSH and a TCP proxy. SSH proxy works as a MITM between attacker and server to log everything in plain text.
Heralding A simple honeypot that collects credentials
Hellpot HellPot is an endless honeypot that sends bots to hell
Honeypie A low interaction honeypot with the capability to be more of a medium interaction honeypot
Honeysap HoneySAP is a low-interaction research-focused honeypot specific for SAP services.
Honeytrap Honeytrap is a network security tool written to observe attacks against TCP or UDP services
Ipphoney Honeytrap is a network security tool written to observe attacks against TCP or UDP services.
Mailoney Mailoney is a SMTP Honeypot
Medpot HL7 / FHIR honeypot
Rdpy RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side)
Redishoneypot Low interaction honeypot designed for Android Debug Bridge over TCP/IP
Snare A web application honeypot sensor
Tanner TANNER is SNARES “brain”. Every event is send from SNARE to TANNER, gets evaluated and TANNER decides how SNARE should respond to the client.

SKU’s

Feature Vidara HoneyNet Instance
Providing customer and sector specific threat intelligence +
Monthly report +
Distract attacks from the real infrastructure +

Features

Providing customer and sector specific threat intelligence

Threat intelligence that is collected by the Vidara HoneyNet Instance will get analyzed, transformed, and feed back into Azure Sentinel, detections and use cases that are deployed in Azure Sentinel will use this threat intelligence to detect malicious activities.

By default, threat intelligence collected by the Vidara HoneyNet Instance will only be used for the customer itself. The customer has however an opt-in to share its threat intelligence with other Wortell customers. This allows Wortell to strengthen detections for specific sectors.

Monthly report

Intelligence collected by the Vidara HoneyNet Instance is summarized in a report, that will be sent monthly.

Distract attacks from the real infrastructure

Honeypots in an organisations infrastrucutre can distract an attacker. Vidara HoneyNet instances are build to simulate real applications, services and protocols. With these simulations attackers are distracted from the real infrastructure.

Cost Calculation

The cost will be calculated based on the amount of Vidara HoneyNet Instances deployed.

Prerequisites

A virtual machine (hosted in cloud or on-premises) with:

  • 2 CPUs
  • A minimum of 8gb of RAM.
  • Outbound internet connection (to send threatintell to the Vidara Honeynet controlplane)