All Apps and Add-ons

How to deploy a HoneyPot using Splunk?

SplunkTrust
SplunkTrust

How can I use Splunk to detect potential reconnaissance or lateral movement using a HoneyPot?

1 Solution

SplunkTrust
SplunkTrust

To setup a simple HoneyPot you need to leverage the Splunk Stream app: https://splunkbase.splunk.com/app/1809/

  1. deploy decoy systems in the network segments you would like to monitor
  2. ensure the decoy system hostnames conforms to your standard naming conventions
  3. ensure those systems are built using your Gold Image, conform to all your standard security controls, and are updated and patched using your standard patching processes
  4. install the Splunk Stream app on the systems
  5. configure the Splunk Stream to capture all inbound ports and protocols
  6. forward the data from the Splunk Stream app on your decoy systems to your indexers
  7. configure an alert against that stream data when events are greater than 0
  8. the SPL should be written to filter out all standard management activity such as the downloading of any updates or scanning by your Vulnerability Management program but ALL other INBOUND activity should be alerted on

In theory, since the system serves no legitimate purpose on the network, even a single packet inbound on the system is cause for investigation. If you have written your alert properly should should almost never receive alerts from this stream data unless it is abnormal for the network segment that the system resides in.

  • If somebody is attempting RDP or ssh to a system that serves no purpose that is interesting.
  • If any system other than your whitelisted vulnerability scanners or patch deploment servers is scanning the decoy host that is interesting.
  • Pings to the system are interesting.

Detections using this setup can indicate an active breach and attempted reconnaissance and lateral movement by attackers. Prior experience with this deployment has identified several firewall mis-configurations allowing inbound traffic to a network segment that should not have been. These are important detections to identify and remediate for enhanced security posture even if they aren't active attackers in your network. Just becuase it wasn't malicious doesn't mean it wasn't a good find!

Cheers! 😄

View solution in original post

SplunkTrust
SplunkTrust

To setup a simple HoneyPot you need to leverage the Splunk Stream app: https://splunkbase.splunk.com/app/1809/

  1. deploy decoy systems in the network segments you would like to monitor
  2. ensure the decoy system hostnames conforms to your standard naming conventions
  3. ensure those systems are built using your Gold Image, conform to all your standard security controls, and are updated and patched using your standard patching processes
  4. install the Splunk Stream app on the systems
  5. configure the Splunk Stream to capture all inbound ports and protocols
  6. forward the data from the Splunk Stream app on your decoy systems to your indexers
  7. configure an alert against that stream data when events are greater than 0
  8. the SPL should be written to filter out all standard management activity such as the downloading of any updates or scanning by your Vulnerability Management program but ALL other INBOUND activity should be alerted on

In theory, since the system serves no legitimate purpose on the network, even a single packet inbound on the system is cause for investigation. If you have written your alert properly should should almost never receive alerts from this stream data unless it is abnormal for the network segment that the system resides in.

  • If somebody is attempting RDP or ssh to a system that serves no purpose that is interesting.
  • If any system other than your whitelisted vulnerability scanners or patch deploment servers is scanning the decoy host that is interesting.
  • Pings to the system are interesting.

Detections using this setup can indicate an active breach and attempted reconnaissance and lateral movement by attackers. Prior experience with this deployment has identified several firewall mis-configurations allowing inbound traffic to a network segment that should not have been. These are important detections to identify and remediate for enhanced security posture even if they aren't active attackers in your network. Just becuase it wasn't malicious doesn't mean it wasn't a good find!

Cheers! 😄

View solution in original post

SplunkTrust
SplunkTrust

Oh and I suggest periodically checking that everything is working by running a test nmap scan from a non-standard system, or even just remotely logging in to the host should do it to. That way you can make sure the Stream App is still running, that forwarding and indexing is still working, and that your alert is still ok.

0 Karma

SplunkTrust
SplunkTrust

Oh, and a big shout out to Kevin Cardwell for the very simple idea: 1 packet is all you need

Kevin is a great speaker who I have seen a few times and taken workshops with: https://www.linkedin.com/in/kevin-cardwell-6102891/

0 Karma

SplunkTrust
SplunkTrust

Maybe someday I'll add screenshots of the Stream config and a sample alert...I've been meaning to do this post for 2 years so I guess this is better than nothing though!