Honeypots

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hi and welcome to lesson 2.2.4.
00:00
In this lesson, we're going to talk about honeypots.
00:00
This is going to be a very quick lesson,
00:00
just a quick overview of what
00:00
a honeypot is and how we can use them.
00:00
A honeypot is a system that we
00:00
intentionally leave a little bit vulnerable.
00:00
Maybe we don't patch it with all of the latest patches.
00:00
We don't want it to look like a 20-year-old system,
00:00
but maybe just leave
00:00
a few vulnerabilities in there and we don't patch it
00:00
completely or we configure it with
00:00
a few mistakes intentionally.
00:00
We do this so that we can monitor with
00:00
our security tools and we can turn anything we
00:00
learned during that monitoring into
00:00
intelligence that we can
00:00
feed into the rest of our systems.
00:00
The idea is we want to
00:00
almost entice the bad guys to attack the system,
00:00
especially ones that haven't attacked
00:00
our environment before that we may not know
00:00
anything about so that we can gather
00:00
intelligence and understand their tactics and techniques,
00:00
much like that miter framework we talked about earlier.
00:00
We can take that data and we can
00:00
put it into our other tools,
00:00
so if we see that same type of attack
00:00
against a legitimate system later,
00:00
we already know about it and we can deter that attack.
00:00
The way it works typically is
00:00
you're going to set a honeypot up in a DMZ environment.
00:00
In this particular case,
00:00
this would be a setup that we talked about earlier in
00:00
the DMZ chapter where we've got
00:00
some application servers out on a DMZ that
00:00
access a database may be
00:00
behind the firewall or internal network,
00:00
because we don't want to give Internet access
00:00
directly to our database so we have that tiered approach.
00:00
But what if we took our application server farm,
00:00
several application servers and
00:00
we made one of them a honeypot?
00:00
That application server has
00:00
running in the same application as the other two servers.
00:00
It looks basically the same,
00:00
except it has a couple of
00:00
misconfigurations or a couple of vulnerabilities on it?
00:00
Now as an attacker is doing
00:00
their reconnaissance and they're
00:00
scanning the environment,
00:00
that system is going to look a lot more enticing to
00:00
attack than the other systems because
00:00
the other ones are fully hardened.
00:00
This one has a vulnerability
00:00
and that's what attackers do essentially.
00:00
They'll scan an environment,
00:00
look for vulnerabilities and then try to
00:00
attack that particular vulnerability.
00:00
But this time when they attack that vulnerability,
00:00
we've got all of our tools in the background
00:00
pointing to that honeypot and monitoring it.
00:00
Maybe that particular system,
00:00
it doesn't even point to
00:00
a real database on the back-end,
00:00
maybe it points to a fake database with
00:00
some fake data so we can make attackers
00:00
think they're actually getting real data when
00:00
they're pulling things out, but they're not.
00:00
The whole time we're sitting back, we're monitoring it,
00:00
we're looking at the methods that they use,
00:00
and we're turning that into
00:00
threat intelligence for other systems.
00:00
That's really it on honeypots.
00:00
As I said, this was going to be a really quick lesson.
00:00
Next up, we're going to talk about
00:00
the last lesson in our perimeter section,
00:00
and that's going to be lesson 2.2.5.
00:00
We're going to talk about remote access.
Up Next