This article explains SSProtect Honeypots and how to use them for early warning signs of attacker activity.
What is a Honeypot?
A Honeypot is a trap utilizing resources designed to appear legitimate, but carrying little to no real value. Honeypots are often purposely and dynamically placed with specialized monitoring that is often impractical - or more expensive - to implement in production systems. The goal is to draw the attention of those with malicious intent away from sensitive resources while at the same time capturing evidence of behaviors to motivate countermeasures and/ or corrective action.
Many believe that Honeypots, when properly utilized, offer compelling advantages in retaining network system availability and security. Some practitioners make extensive use of Honeypots, whereas others haven't and claim they never will. Opinions run the gamut.
Though we had Honeypots on our Roadmap at a reasonable level of priority, we were in 2015 approached by Early Adopter program participants who'd spent time in classified US Government briefings specific to nation state electronic crime. This particular individual specialized in APTs, and with focused efforts enabled us to deliver seemingly suitable - and optional - sooner than expected.
The remainder of this article describes SSProtect Honeypot configuration and operation.
Masking Protected Indicator
Windows Explorer shows files in folders using icons that reflect the registered management application for each item. SSProtect enhances this view by providing red and yellow icon overlays indicating whether or not a file is protected. Red indicates that you are the managing user of a specific file, while orange (yellow) shows that a file is protected by SSProtect, though came from an external source or Third Party. In this case, it will not be clear whether or not you have access to the file from the active Profile's context.
Roadmap for Attackers
Though SSProtect provides convenient status information for authorized users, it also serves as a roadmap for attackers, allowing them to adjust their strategy upon discovering sets of files that are closely managed. Assuming SSProtect retains effectiveness against even the most advanced host threats (such as impersonation), attackers can approach resources by offloading unprotected and lower-risk items before returning to try their hand at stealing SSProtect-managed data.
Inhibiting Mass Data Exfiltration
Honeypots change this dynamic drastically - because attackers can no longer assume unmarked files are outside the protective scope of SSProtect. This presents the risk of triggering alarms when accessing any file that seems in every other way to be normal and independent of SSProtect. This can have a drastic impact on the way attackers go after their bounty. It can also reduce the amount of time attackers are free to roam, undetected. This early warning system, deployed appropriately, will reduce the typical impact of breach dynamics specific to mass offloading of application data files stored on desktop/ workstation (and server) systems.
This tips the scales back toward your favor, though to what extent and whether or not past the tipping point depends on a great many things. It should, however, have more than a subtle impact and can be utilized as a centerpiece in choosing how to manage other aspects of your network - from behavioral analysis and next-generation intrusion prevention to the way in which outbound DNS and firewalling is applied and managed (with SIEM for example).
1st Time Use - Honeypot Password
The first time you Login to SSProtect following Honeypot activation (for your Account), you will be prompted to set a unique, independent Honeypot Password:
The Honeypot Password is used as a, "secondary login" so you can work with SSProtect without exposing Honeypot controls and configuration. This limits exposure to potential eavesdropping (screen capture operation by attackers who gain access to a host computer).
If you skip this operation after Login, you will be forced to set your Honeypot Password when you attempt to unmask Honeypot Controls.
To enable Honeypot controls and view Honeypot-configured files, navigate to the Account Configuration display using the SSProtect notification tray icon's context menu:
At the bottom of the display, you will see the Honeypot Pwd edit control, though (initially) disabled. The button that accompanies this control will be in one of four different states:
- Config (disabled) - Honeypots are not enabled for your Account
- Config (enabled) - You have not unmasked Honeypot Controls
- Send Pwd - You have not unmasked Honeypot Controls but clicked Config
- Upd Pwd - You have unmasked Honeypot Controls during the existing SSProtect Login Session
As you may have guessed, Config allows you to enter your password and enable Honeypot Controls, though if you haven't set your Honeypot Password you will be prompted to do so. For example:
- Login to SSProtect and bypass the initial prompt to set your Honeypot Password
- Navigate to the Account Configuration dialog, as noted above, then choose Config
- The button transitions to Send Pwd and you are prompted to set your Honeypot Password:
Enter your new Password (twice), then OK: SSProtect will perform a Refresh Login to apply changes.
Unmasking Honeypot Controls
Once you have set your Honeypot Password, perform the following tasks to access Honeypot Controls:
- Login to SSProtect; you will not be prompted to set a Honeypot Password (already done)
- Navigate to the Account Configuration dialog and click Config
- The button transitions to Send Pwd and the edit control is enabled
- Enter your Honeypot Password and choose Send Pwd; SSProtect transitions to the Hostlist display
The Hostlist display will then show Honeypot Controls and any configured Honeypot Files.
Resetting your Honeypot Password
Your Honeypot Password isn't reset independently - it gets Reset with your Login Password. For this reason, you want to be sure and set your Honeypot Password after you Register and anytime you change your Login Password.
You can, however, reset your Honeypot Password independently:
- Login to SSProtect, then Unmask Honeypot Control as described above
- Return to the Account Configuration dialog - the Honeypot control group's button will be Upd Pwd
- Click Upd Pwd - you will be prompted to set a new Honeypot Password (same as as before)
- Cancel or enter your new Honeypot Password (twice) then click OK; SSProtect will Refresh Login
Enabling/ Disabling Monitoring
After you unmask Honeypot Configuration with your Honeypot Password, you are taken directly to the Protected Files display where you can choose a target file then check the Honeypot checkbox. After a few seconds, the file will transition to the Decrypted state and will continue to be shown with the Honeypot checkbox status. Explorer will no longer display the red overlay icon - the file now presents just like any other unprotected item.
Reset your Login session with the notification icon's Refresh Login... context menu and return to this dialog - notice that the file and the Honeypot designations are no longer present. This default state protects from disclosure to localhost attackers who may be watching you work using malware that collects screenshots.
To disable a Honeypot, unmask configuration, navigate to Managed Files/ Restore, and from the Hostlist choose the target (Honeypot) file. Uncheck the Honeypot checkbox. Note that the target file is not re-encrypted or re-protected - you can do this manually if so desired.
Some users will see a Honeypots button on the right side of the Protected Files display. This enumerates all Honeypot-configured files for the host computer on which you're working (for all Profiles). These are stored in the local Host Debug Log, then displayed for you automatically. It's important for you to erase these entries and save the log file when finished perusing the list, else an attacker may be able to find the set and specifically avoid those items.
Monitoring begins immediately after configuration is changed, and includes:
- Opening the file with the default application*
- Moving or renaming the file
- Deleting the file
Notification is available in two forms - by direct email to your SSProtect Account address, and in :Assess reports that contain these and other events.
Notification events are one of three types - online, offline, or configuration. Online events occur while you are actively logged into SSProtect, while offline events occur when SSProtect does not have any authenticated user logged in. You will receive one (1) notification for each event associated with a target Honeypot file. You can use Email filtering and Rules to manage incoming content until more advanced notification policies are made available.
Note that Configuration notification is only applicable to Honeypot state Removal.
*This will be extended in the future to include additional access events, such as accessing data with most any application. Because of the way Windows manages application data files, this is more than a simple matter of waiting for a file to be opened, though managed in-place encryption capabilities provide the foundation for ongoing work in this area.
Honeypot notification messages are straightforward and report a number of different activities, including the possibility that a Honeypot File has been accessed, renamed, moved, or copied (locally or remotely). Note that SSProtect uses an advanced methodology for monitoring these files specifically designed to prohibit the, "low, quiet and slow" approach used by advanced attackers. For details, talk to your SSProtect Representative or email Support to setup a discussion on the matter.
:Assess Report Details
Cloud services record details associated with Honeypot behavior - detection and configuration - and provide details available in :Assess File and Admin (Integrated) Reports. These items include the date, time, event, local and public host IP addresses, along with the target Filename, file size, unique file ID, plaintext hash, and managing application used to access content. This allows you to correlate information with other items and events for forensic investigation.
When designing for and working with Honeypots, use the following list to ensure your expectations and intent remains aligned with SSProtect capabilities:
- You can only configure a Honeypot for a protected file
- Configuring a file for Honeypot monitoring decrypts content
- Disabling Honeypot behavior does not re-encrypt or re-protect the file
- Honeypots remain active whether Logged in to SSProtect or not
- All Honeypot items, for all Profiles on a single host, are constantly monitored
- Reset your Honeypot Password after any change to your Login Password
Honeypots can be helpful in the early detection of rogue resources in your network. We will have more to say on this subject in our @DefiniSec Insights column. In the meantime, send questions and comments to firstname.lastname@example.org, or contact your DefiniSec representative for additional assistance.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to email@example.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v5.2.5 of the :Foundation Client