How can I use Splunk to detect potential reconnaissance or lateral movement using a HoneyPot?
To setup a simple HoneyPot you need to leverage the Splunk Stream app: https://splunkbase.splunk.com/app/1809/
In theory, since the system serves no legitimate purpose on the network, even a single packet inbound on the system is cause for investigation. If you have written your alert properly should should almost never receive alerts from this stream data unless it is abnormal for the network segment that the system resides in.
Detections using this setup can indicate an active breach and attempted reconnaissance and lateral movement by attackers. Prior experience with this deployment has identified several firewall mis-configurations allowing inbound traffic to a network segment that should not have been. These are important detections to identify and remediate for enhanced security posture even if they aren't active attackers in your network. Just becuase it wasn't malicious doesn't mean it wasn't a good find!
Cheers! 😄
To setup a simple HoneyPot you need to leverage the Splunk Stream app: https://splunkbase.splunk.com/app/1809/
In theory, since the system serves no legitimate purpose on the network, even a single packet inbound on the system is cause for investigation. If you have written your alert properly should should almost never receive alerts from this stream data unless it is abnormal for the network segment that the system resides in.
Detections using this setup can indicate an active breach and attempted reconnaissance and lateral movement by attackers. Prior experience with this deployment has identified several firewall mis-configurations allowing inbound traffic to a network segment that should not have been. These are important detections to identify and remediate for enhanced security posture even if they aren't active attackers in your network. Just becuase it wasn't malicious doesn't mean it wasn't a good find!
Cheers! 😄
Oh and I suggest periodically checking that everything is working by running a test nmap scan from a non-standard system, or even just remotely logging in to the host should do it to. That way you can make sure the Stream App is still running, that forwarding and indexing is still working, and that your alert is still ok.
Oh, and a big shout out to Kevin Cardwell for the very simple idea: 1 packet is all you need
Kevin is a great speaker who I have seen a few times and taken workshops with: https://www.linkedin.com/in/kevin-cardwell-6102891/
Maybe someday I'll add screenshots of the Stream config and a sample alert...I've been meaning to do this post for 2 years so I guess this is better than nothing though!