Vidara Honeynet Instnace
Table of contents
Introduction
In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site and contain information or resources of value to attackers. It is isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as “baiting” a suspect.
Wortell has developed its own Honeypot Network called Vidara HoneyNet. Honeypots in this network collect threat intelligence that is used in our security use cases and detections. Threat Intelligence collected by this network is generic and not sector or customer specific. With Vidara HoneyNet Instance, Wortell will deploy an instance of our Honeypot nodes in the customer network. Doing so allows us to collect customer and sector specific threat intelligence. This threat intelligence will get used in detections and use cases.
Honeypots
The Vidara HoneyNet instance contains a wide variety of Honeypots
Honeypot | Description |
---|---|
Adbhoney | Low interaction honeypot designed for Android Debug Bridge over TCP/IP |
Ciscoasa | A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability |
Citrixhoneypot | Detect and log CVE-2019-19781 scan and exploitation attempts |
Conpot | A low interactive server side Industrial Control Systems honeypot |
Cowrie | Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. |
Ddospot | DDoSPot is a honeypot “platform” for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks |
Dicompot | Dicompot is a fully functional DICOM server with a twist |
Dionaea | Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, the ultimate goal is gaining a copy of the malware. |
Elasticpot | Honeypot simulating a vulnerable Elasticsearch server opened to the Internet |
Endlessh | Endlessh is an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. |
Glutton | Glutton provide SSH and a TCP proxy. SSH proxy works as a MITM between attacker and server to log everything in plain text. |
Heralding | A simple honeypot that collects credentials |
Hellpot | HellPot is an endless honeypot that sends bots to hell |
Honeypie | A low interaction honeypot with the capability to be more of a medium interaction honeypot |
Honeysap | HoneySAP is a low-interaction research-focused honeypot specific for SAP services. |
Honeytrap | Honeytrap is a network security tool written to observe attacks against TCP or UDP services |
Ipphoney | Honeytrap is a network security tool written to observe attacks against TCP or UDP services. |
Mailoney | Mailoney is a SMTP Honeypot |
Medpot | HL7 / FHIR honeypot |
Rdpy | RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side) |
Redishoneypot | Low interaction honeypot designed for Android Debug Bridge over TCP/IP |
Snare | A web application honeypot sensor |
Tanner | TANNER is SNARES “brain”. Every event is send from SNARE to TANNER, gets evaluated and TANNER decides how SNARE should respond to the client. |
SKU’s
Feature | Vidara HoneyNet Instance |
---|---|
Providing customer and sector specific threat intelligence | + |
Monthly report | + |
Distract attacks from the real infrastructure | + |
Features
Providing customer and sector specific threat intelligence
Threat intelligence that is collected by the Vidara HoneyNet Instance will get analyzed, transformed, and feed back into Azure Sentinel, detections and use cases that are deployed in Azure Sentinel will use this threat intelligence to detect malicious activities.
By default, threat intelligence collected by the Vidara HoneyNet Instance will only be used for the customer itself. The customer has however an opt-in to share its threat intelligence with other Wortell customers. This allows Wortell to strengthen detections for specific sectors.
Monthly report
Intelligence collected by the Vidara HoneyNet Instance is summarized in a report, that will be sent monthly.
Distract attacks from the real infrastructure
Honeypots in an organisations infrastrucutre can distract an attacker. Vidara HoneyNet instances are build to simulate real applications, services and protocols. With these simulations attackers are distracted from the real infrastructure.
Cost Calculation
The cost will be calculated based on the amount of Vidara HoneyNet Instances deployed.
Prerequisites
A virtual machine (hosted in cloud or on-premises) with:
- 2 CPUs
- A minimum of 8gb of RAM.
- Outbound internet connection (to send threatintell to the Vidara Honeynet controlplane)