The primary objective of the LITNET CERT, the Computer Emergency Response Team of the LITNET networks is to tackle security incidents, but it is also fully dedicated to their prevention. In order to deal with shared security challenges, the CERT has been using honeypots since 2017 to improve password security, among other things. GÉANT spoke with Šarūnas Grigaliūnas, LITNET CERT IT team leader.
What is a honeypot, and what are its advantages?
A honeypot is a computer system that is set up as a ‘lure’ for cybercriminals. The honeypot mimics a target for hackers and might be a network or an application. We use the information entered and left behind by hackers to examine how they operate. This way, we can improve the security of our ‘real’ networks and systems.
The advantage of “honeypots” is their simplicity. They are relatively easy to set up and maintain. Moreover, the risk is low because the honeypot is not connected to our production systems, and we retain control over what the hacker can and cannot do.
As LITNET CERT, we spend a lot of time preventing cyber incidents. It was our own initiative to set up a honeypot. We do a lot of research to analyse the data obtained and share the information with our community.
What were the main results?
After setting up the honeypot, we noticed that more than half of the interactions with it came from cyber attackers. Once the hackers enter your system, they will often try to execute certain commands, for example, to delete all data on the system or to install malware, or a command to download a programme that automatically deletes all logs and evidence. We observed that attackers first find their way in the ‘easiest’ systems and then infiltrate more deeply into your network.
We use the honeypot in the first instance to improve our password security. The credentials entered by the botnets are obviously insecure. ‘Root’ is still the number one username used by hackers to try to get into systems. But usernames like ‘admin’, ‘user’, ‘test’ and ‘support’ are also often tried out by bots. For example, we can see that students often use the default ‘pi’ as a username for labs. When talking about insecure passwords, ‘1234’ is by far the most common.
Sometimes we see that attacks on our network come from IP-ranges belonging to our clients. This may indicate, for example, that a student is trying to break into the systems.
What do you do with the results?
As LITNET CERT, we are an independent, central body in close contact with the technical centres in the five universities of Lithuania. These centres are responsible for managing the infrastructure of the LITNET network. In the first instance, we share our findings and analyses with these technical centres. In addition, we also provide incident reports for our other clients (such as schools). Finally, we also share our knowledge with the national CERT in Lithuania.
Specifically, for the honeypot, we have created a blacklist of passwords that we incorporate in the security policy of our NREN. These are passwords that our own users, but also the users in the universities, are not allowed to use for important systems. These include passwords for LDAP servers, radius servers, active directory servers, etc. If a user nonetheless attempts to set an insecure login or password, they will automatically be notified that this is not possible. We also update the blacklist constantly.
The technical centres, in turn, decide which actions they want to implement about their end-users. Furthermore, all the universities list insecure passwords in their admin policy. Indeed, admin accounts involve more risk because they have access to so more systems and applications than a ‘standard’ user.
In an NREN context, a “single sign-on” is used, whereby a hacked password can access all systems and applications. For example, a hacker who hacks a student’s credentials for the eduroam Wi-Fi roaming service can also log on to other services such as document systems, etc. A strong and secure password is, therefore crucial!
Via the honeypot, we collect not only usernames and passwords but also IP addresses of bots. If we notice that a particular IP address is trying to enter a login or password that we have blacklisted, we will block this IP immediately.
Do you have any tips for other organisations?
A password remains the most important access to your systems! That’s why it is crucial that users are well aware that a strong password is an absolute necessity. Awareness is one aspect of your security, but it is also important to take technical measures such as automatically blocking insecure passwords.
A honeypot can give you a lot of insight with relatively little time and effort. That’s why I advise other organisations to make this a priority and examine the results in depth. Let the hackers do their job, so you can better secure your network!
More technical information
The platform used to set up the honeypot is COWRIE. Honeypots can be targeted at specific intrusion attacks like malware, spam, databases, etc. Miscreants have tools to detect Honeypots based on their characteristics, so, as with antivirus tools, it is an ongoing game of cat and mouse.
For LITNET networks a very simple Honeypot for intrusion detection rather than a research-oriented one to analyse attach methods is all that is needed. Honeypot software – LITNET CERT is using OpenBSD with Cowrie. TCP connect alerts: Kippo – SSH brute force logger; Dionaea – SMB/HTTP/FTPTFTP/MSSQL/MySQL/SIP logger; Glastopf – Python web application honeypot logger.
Our objective is to offer a reliable indicator of compromise. Therefore we have implemented a solution which flags a few surefire triggers that would encourage most attackers snooping around on an internal network: Port Scanning Activities and SSH/FTP/Telnet/VNC Connection Attempts. These types of traps can help you identify the hackers that affect your network. The more of them you leave, the more information you can gather.
Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020