by Dean Sysman & Gadi Evron & Itamar Sher
The description:
We will detect, bypass, and abuse honeypot technologies and solutions, turning them against the defender. We will also release a global map of honeypot deployments, honeypot detection vulnerabilities, and supporting code.
The concept of a honeypot is strong, but the way honeypots are implemented is inherently weak, enabling an attacker to easily detect and bypass them, as well as make use of them for his own purposes. Our methods are analyzing the network protocol completeness and operating system software implementation completeness, and vulnerable code.
As a case study, we will concentrate on platforms deployed in real organizational networks, mapping them globally, and demonstrating how it is possible to both bypass and use these honeypots to the attacker’s advantage.
The slides for the presentation.
This presentation addresses the question of detecting (identifying) a deception.
Detection of the following honeypots discussed:
Artillery: https://github.com/BinaryDefense/artillery (Updated URL)
BearTrap: https://github.com/chrisbdaemon/BearTrap
honeyd: http://www.honeyd.org
Dionaea: http://dionaea.carnivore.it/ (timed out on July 4, 2016)
Glastopf: http://glastopf.org/
Kippo: https://github.com/desaster/kippo
KFSensor: http://www.keyfocus.net/kfsensor/
Nova: https://github.com/DataSoft/Nova
Identification of an attack was argued to possibly result in the attack being prevented in all anti-attack code, whereas identification of an attacker, could have consequences for the attack as an operation.
Combining an IP address along with other dimensions of identification, say with a topic map, could prove to be a means of sharpening the consequences for attackers.
Of course, I am assuming that at least within an agency, agents share data/insights towards a common objective. That may not be the case in your agency.
While looking for other resources on honeypots, I did find Collection of Awesome Honeypots, dating from December of 2015.