In Threat Intelligence, honeypots are a great tool that helps analysts quickly and effectively identify active threats, as well as gather statistics on automated attacks. At the time of deploying a honeynet – likely due to budget constraints – analysts have not reinvented the wheel: the compendium of honeypots included in the T-pot suite is one of the most common and widely implemented solutions. The usage of popular open-source honeypots separately, like Dionaea, Cowrie, Conpot, and other service-specific ones like ElasticPot, Citrix Honeypot, ADB-honey, is also very popular.
The majority of honeynets deployed around the world are built on pre-existing open-source honeypots. Now the question is: how easy is it to identify them on a large scale? How easy is it to abuse them to perform counter-intelligence activities? Prior research has shown that honeypots configured with default parameters can be easily detected through straightforward techniques like service banner analysis or by identifying suspicious indicators, such as an excessive number of open ports or an industrial control system (ICS) hosted on a cloud provider.
However, what happens when honeypots are highly customized and integrated into a network in a manner that makes them resemble authentic devices? In this talk, we will reveal novel ways to identify honeypots by exploiting flawed logic issues in their packet-handling functions. By leveraging this approach, it is possible to identify honeypots even when all their customizable aspects have been properly set up. We have conducted one of the most comprehensive research studies in this area by analyzing around 40 honeypots where we identified flawed logic issues.
Upon our findings, we carried out a large scan analysis to detect these honeypots around the world and perform counter-intelligence activities to discover who is behind them. We will share interesting statistics as well as curious cases of unexpected entities running honeypots.
Sheila Berta is a cybersecurity specialist with over 15 years of experience. She is a dedicated and passionate professional in the field of information security, with a particular focus on hacking and offensive security. Self-taught from a young age, she boasts in-depth knowledge and expertise in a wide range of areas, including hardware hacking, reverse engineering, exploit dev, network security, cloud security, big data and blockchain. Furthermore, she is a versatile developer, proficient in ASM, C/C++, Go, and Python. Sheila has shared her knowledge by teaching classes on cybersecurity at universities in Argentina and by speaking at many of the top conferences such as Black Hat USA, DEF CON, HITB, Ekoparty, HackInParis, and IEEE ArgenCon. Currently, she works as Head of Security Research at Dreamlab Technologies.