September 27, 2016
-
Joe Franscella
,

Building Raspberry Pi Honeypots on a Budget

<p>It is no longer sufficient to run a singular security application and expect your network to be protected from threats. Zero-day exploits can catch your anti-malware software off guard, and anything encrypted can potentially be decrypted if an outsider wants the data badly enough. With all that is riding on the sanctity of your network, it is worthwhile and even necessary in some cases to pursue a nuanced and custom built threat intelligence system.</p><p>Hackers follow a somewhat predictable process which will leave some traces early in the execution. It is possible to detect threat actors as they are feeling out your network for vulnerabilities. That is if you know what to look for, and are running an effective intelligence collecting program. <a href="https://www.giac.org/paper/gsec/2818/build-security-lab-shoestring-budget/104779" target="_blank">Honeypots are useful and affordable</a> intelligence gathering tools.</p><p>Honeypots are phony web environments made to look like real network locations to an outsider. They are a form of deception trap which are made useful by their misuse. It is possible to collect and analyze traffic logs from any point of the network; however, with a honeypot there should not be any traffic. Raspberry Pi is a small affordable computer which is popular for experimental or <a href="https://www.raspberrypi.org/blog/" target="_blank">novel applications and educational projects</a>. Raspberry Pi honeypots are a good choice for home users or small to medium sized businesses because they use less energy than full sized computers but for all intents and purposes work as well in a deception trap.</p><p>Linking several physical entities together creates a more realistic environment than using one standalone honeypot or a virtual environment. Hackers looking for vulnerabilities will stumble upon your honeypot(s) and begin looking for interesting files and running exploitation scripts. They will leave clues to their identities and motives in the process. These clues are generally termed Indicators of Compromise.</p><p>Your Raspberry Pi honeypot will also waste the hackers’ time. Hopefully, they will determine there is nothing of interest to be found on your “network” and move on to vetting another potential victim. This detour can potentially shield your actual data from exploitation. You’re also evading the hardships that come after a cyber-security incident; victims usually have to investigate the breach, determine which files were leaked and, in some cases, have to make remuneration to other victims of a data breach.</p><p>One fabulous thing about using a honeypot to collect threat intelligence is the relatively low cost for access to threat intelligence exchanges. The <a href="https://www.anomali.com/blog" target="_blank">Modern Honey Net</a> and other nonprofit intelligence exchanges facilitate sending and receiving specifics about real hacks. If you’ve got the basic knowledge and time, this powerful technique is within your means.</p><p>Note this is not a zero-cost endeavor. Unless you’re working on your home network in your free time, there will be a labor expense associated with the setup and tweaking of your intelligence system. For larger enterprises, there may be <a href="http://searchsecurity.techtarget.com/feature/Honeypot-technology-How-honeypots-work-in-the-enterprise" target="_blank">over 100,000 security alerts generated daily</a>. Hopefully, if you’re a business running a website or server, you already have someone tasked with monitoring and responding to alerts, be they staff or consultant. There will be a small charge associated with hosting of the entities, too, although if you’ve got a website running already, this cost may be negligible.</p><p>Data collected from the honeypot is best used together with other feeds. Use a threat intelligence platform that can analyze traffic from the firewall, SIEM, email server, cloud, etc. The alerts produced from Raspberry Pi honeypots and other elements will be well-screened and ideally grouped together logically.</p><p>The processors which make sense of the data coming off of your honeypot, firewall, etc. are getting better at processing data every day. Start collecting threat data with a Raspberry Pi honeypot or another comparable deception trap and stop letting threats go unnoticed. <span class="hs-cta-wrapper" id="hs-cta-wrapper-0071cd63-ac31-4336-9c34-1cbb3eb63a99"> <span class="hs-cta-node hs-cta-0071cd63-ac31-4336-9c34-1cbb3eb63a99" data-hs-drop="true" id="hs-cta-0071cd63-ac31-4336-9c34-1cbb3eb63a99" style="visibility: visible; display: block; text-align: center;"><a class="cta_button" cta_dest_link="{page_4274}" href="https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=7f449c09-bffc-4bd3-ae88-a260b9579b4d&amp;placement_guid=0071cd63-ac31-4336-9c34-1cbb3eb63a99&amp;portal_id=458120&amp;redirect_url=APefjpFpXIi9-8pf3I7wHAiIEeUh6r-3hHBKX7XSeKpZza9c_kGdf1TAeAjdni3NjkbGtrjdvW6hV91kKluH3hw928ByV86JwJI4NKuubhbOZgL220FMK4DuLZ6YE3AKpRRxpZBzVeJEhYGXvLwYB3KA98neEEhCE7mwr6_s_Z59ZchFvryKrQMNtaESpLyYm8AcWhEO1_tLt9aYE2pVyzt-iRS942uHJcSErZTVZfEgcu8OYA06TlBQzF34IniELmalO0Db3_vG9dmhT_tMuf2NadgCebGAzSCt6UkcGk-u0a4L_wlaqpDDyHfMmmhiY1fkTc0voxbrHGfHuJ7JHgMuOem3uea8Og&amp;hsutk=2767d93d6471d657e0c9f660e4b58ef8&amp;utm_referrer=https%3A%2F%2Fblog.anomali.com%2Fbuilding-raspberry-pi-honeypots-on-a-budget&amp;canon=https%3A%2F%2Fblog.anomali.com%2Fbuilding-raspberry-pi-honeypots-on-a-budget&amp;pageId=4373828592&amp;__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478467980860.1478822660171.178&amp;__hssc=41179005.23.1478822660171&amp;__hsfp=1335165674" id="cta_button_458120_7f449c09-bffc-4bd3-ae88-a260b9579b4d" style="margin: 20px auto;" target="_blank" title="View The Webinar Here"> View The Webinar Here </a> </span> <script charset="utf-8" src="https://js.hscta.net/cta/current.js"></script> <script type="text/javascript">hbspt.cta.load(458120, '0071cd63-ac31-4336-9c34-1cbb3eb63a99', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.