This course on Submerssion Therapy11 Honeypots for Active Defense covers the following learning outcomes and goals: understanding traditional defensive concepts, exploring the concept of 'Active Defense', learning about the importance of internal honeypots, and gaining knowledge about different types of honeypots and their use cases.
The course teaches individual skills such as setting up Windows PowerShell Honeyports, utilizing tools like Artillery Logging for port scanning and file integrity monitoring, deploying Kippo Python script for simulating an SSH service, and implementing Honey Tokens for tracking interactions with files/folders.
The teaching method involves a combination of theoretical concepts, practical demonstrations, and recommended readings.
The intended audience for this course includes cybersecurity professionals, IT professionals, incident responders, and individuals interested in enhancing their knowledge of active defense strategies using honeypots.
Overview
Syllabus
Intro
Traditional Defensive Concepts
InfoSec Realities There is no magic security product that will protect you or your company. Period.
What is 'Active Defense
Why Internal Honeypots?
Honeypot Use Cases
First things first... Honeypots and Active Defense come after baseline security controls are in place.
Types of Honeypots
Windows PowerShell Honeyports
Artillery Logging • Port Scanning and/or illegitimate Service Access
Artillery Logging Bonus! • File Integrity Monitoring
WordPot
Honeybadger
Kippo Python script which simulates an SSH service that is highly customizable, portable, and adaptable.
Analysis Tools • LogRhythm Network Monitor and SIEM Suricata IDS
Routers and Switches
High Interaction Warning! • Deploying real systems / devices / services is dangerous and requires dedicated monitoring
Honey Tokens • Use file integrity monitoring to track all interactions with files/folders/etc of interest. Great for network shares.
Document Bugging
Document Tracking Issues If the document is opened up offline it will divulge information about the tracking service.
More Tricks
ASCII Art Distraction
Monitoring • Dedicated SOC - Security Operations Center
Event Correlation
Automating Response
Works Cited & Recommended Reading Strand, Jahn, and Asadoorian, Paul Offensive Countermeasures: The Art of Active Defense, 2013, Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent. 2014
