“粘蜜罐”

蜜罐的基本知识

蜜罐有许多应用程序和用例, 因为他们的工作是将恶意流量从重要系统转移出去, 在关键系统受到攻击之前获得当前攻击的早期预警, 并收集有关攻击者及其方法的信息. If the honeypots don’t actually contain confidential data 和 are well-monitored, 您可以深入了解攻击者工具, 战术, procedures (TTPs) 和 gather forensic 和 legal evidence without putting the rest of your network at risk.

要使蜜罐起作用，该系统应该看起来是合法的. 它应该运行生产系统预期运行的流程, 并包含看似重要的虚拟文件. The honeypot can be any system that has been set up with proper sniffing 和 logging capabilities. It’s also a good idea to place a honeypot behind your corporate firewall—not only does it provide important logging 和 alerting capabilities, but you can block outgoing traffic so that a compromised honeypot cannot be used to pivot toward other internal assets.

研究与生产蜜罐

In terms of objectives, there are two types of honeypots: research 和 production honeypots. Research honeypots gather information about attacks 和 are used specifically for studying malicious behavior out in the wild. Looking at both your environment 和 the wider world, they gather information about 攻击者的趋势, 恶意软件菌株, 漏洞 这些都是对手的攻击目标. This can inform your preventative defenses, patch prioritization, future investments.

生产“粘蜜罐”, 另一方面, are focused on identifying active compromise on your internal network 和 tricking the attacker. 信息收集仍然是一个优先事项, as honeypots give you additional monitoring opportunities 和 fill in common detection gaps around 识别网络扫描 和 横向运动. 生产“粘蜜罐” sit with the rest of your production servers 和 run services that would typically run in your environment. Research honeypots tend to be more complex 和 store more types of data than production honeypots.

蜜罐的复杂度 

在生产和研究蜜罐内, there are also differing tiers depending on the level of complexity your organization needs:

• 纯粹的蜜罐: This is a full-scale, completely production-mimicking system that runs on various servers. 它包含“机密”数据和用户信息，并且充满了传感器. Though these can be complex 和 difficult to maintain, the information they provide is invaluable.
• High-interaction蜜罐: 这类似于一个纯蜜罐，因为它运行很多服务, 但它没有那么复杂，也没有那么多数据. High-interaction honeypots are not meant to mimic a full-scale production system, but they do run (or appear to run) all the services that a production system would run, 包括一个合适的操作系统. This type of honeypot allows the deploying organization to see attacker behaviors 和 techniques. High-interaction honeypots are resource-intensive 和 come with maintenance challenges, 但这些发现是值得的.
• Mid-interaction蜜罐: These emulate aspects of the application layer but do not have their own operating system. They work to stall or confuse attackers so that organizations have more time to figure out how to properly react to an attack.
• Low-interaction蜜罐: This type of honeypot is the most commonly deployed in a production environment. Low-interaction honeypots run a h和ful of services 和 serve as an early warning detection mechanism more than anything. 它们易于部署和维护, with many security teams deploying multiple honeypots across different segments of their network.

蜜罐的类型

目前使用的几种蜜罐技术包括: 

• 恶意软件“粘蜜罐”: 它们使用已知的复制和 攻击向量 检测恶意软件. 例如蜜罐(e.g.,鬼)被精心设计成USB存储设备. 如果一台机器被通过USB传播的恶意软件感染, 蜜罐会欺骗恶意软件感染模拟设备.
• 垃圾邮件“粘蜜罐”: 它们用于模拟打开的邮件中继和打开的代理. 垃圾邮件发送者将首先向自己发送一封电子邮件，以测试开放的邮件中继. 如果他们成功了，他们就会发送大量的垃圾邮件. This type of honeypot can detect 和 recognize this test 和 successfully block the massive volume of spam that follows.
• 数据库蜜罐: 活动包括 SQL注入 通常不会被防火墙检测到吗, 因此，一些组织将使用数据库防火墙, 哪一个可以提供蜜罐支持来创建诱饵数据库.
• 客户端“粘蜜罐”: 大多数蜜罐是侦听连接的服务器. 客户端蜜罐主动查找攻击客户端的恶意服务器, 监测蜜罐的可疑和意外修改. These systems generally run on virtualization technology 和 have a containment strategy to minimize risk to the research team.
• 蜜网: Rather than being a single system, a honeynet is a network that can consist of multiple honeypots. Honeynets aim to strategically track the methods 和 motives of an attacker while containing all inbound 和 outbound traffic. 

蜜罐的好处

“粘蜜罐” offer plenty of security benefits to organizations that choose to implement them, 包括以下内容:

他们打破了攻击者的杀戮链，减缓了攻击者的速度

当攻击者在您的环境中移动时, 他们进行侦察, 扫描你的网络, 寻找配置错误和易受攻击的设备. 在这个阶段, 他们很可能会把你的蜜罐绊倒, 提醒您调查并遏制攻击者访问. This allows you to respond before an attacker has the chance to successfully exfiltrate data from your environment. Malicious actors can also spend a significant amount of time trying to work on the honeypot instead of going after areas that have real data. Diverting their attack to a useless system wastes cycles 和 gives you early warning of an attack in progress.

它们很简单，维护成本低

现代蜜罐不仅易于下载和安装, but can provide accurate alerts around dangerous misconfigurations 和 attacker behavior. 在某些情况下, your team might even forget that a honeypot was ever deployed until someone starts poking around your internal network. 不像 入侵检测系统, honeypots do not require known-bad attack signatures 和 fresh threat intel to be useful.

它们可以帮助您测试事件响应流程

蜜罐是一种帮助您提高安全性成熟度的低成本方法, as they test whether your team knows what to do if a honeypot reveals unexpected activity. 你的团队能调查警报并采取适当的对策吗?

蜜罐不应该是你的全部威胁检测策略, but they are another layer of security that can be helpful in discovering attacks early. They are one of the few methods available to security practitioners to study real-world malicious behavior 和 catch internal network compromise. Want to learn more about other types of tech that can boost your blue team defenses? 查看我们的网页 欺骗技术.

阅读更多关于蜜罐的信息

蜜罐:来自博客的最新消息