Inside Out Security Blog   /  

Detecting Honeypot Access With Varonis

Detecting Honeypot Access With Varonis
Honeypots are traps that the Blue Team (defenders) plant to catch potentially bad actors trying to exploit a vulnerability, snoop for data, or escalate privileges. Since a honeypot is a decoy, any access to it should raise a red flag.

Honeypots can be an intentionally unpatched server on the internet. For example, researcher Kevin Beaumont set up a network of vulnerable Exchange Servers he calls “ MailPot” in order to see who is trying to exploit the ProxyLogon CVEs. When he gets a “hit” on his honeypot, he can then observe the tactics, techniques, and procedures of the attackers in a controlled environment.

Honeypots don’t have to be servers. They can take the form of folders or SharePoint sites with sensitive-looking data, a fake Active Directory group that grants “privileged” access, an “executive” email box, or even a Microsoft Teams channel that has fake data and conversations. The goal of the honeypot is to draw attention, so anything that looks like sensitive data or a potential pathway to sensitive data can work.

With Varonis, you can create custom real-time alerts to trigger whenever there’s activity on your honeypot, giving your Incident Response team a heads up that someone is snooping around the network. Varonis’ robust audit trail can help you quickly investigate whether that access is innocuous or concerning so that you can act quickly to prevent real sensitive data compromise.

This blog will show you how to set up a Varonis alert on a honeypot and track down a potential threat using the Varonis audit data and forensics capabilities.

Creating the Honeypot with a Custom Real-Time Alert

DatAlert provides the threat detection capabilities to the Varonis Data Security Platform. In addition to the advanced user behavior analytics and pre-built threat models, you can also create custom alerts.

First, you need to create a honeypot. There are several kinds of honeypots, and you can read this academic research all about them. We will use a low-interaction honeypot for our purposes today, which is an enticing-looking file in an insecure folder.

Our Honeypot isn't suspicious at all

Second, you need to create a custom alert on your honeypot.

In DatAdvantage, select the Tools on the menu bar and then DatAlert to open the DatAlert configuration dialog.

Create the New Rule with the Green Plus button

Click the green plus to open the dialog to add a new alert.

DatAlert General Tab

In the General tab, enter the new rule name, select the severity, which for a honeypot should be “4-Warning.” Select your Alert Category and the type of resource where your honeypot lives in the Resource Type drop-down – I selected “Lateral Movement.” You can leave the rest of the options at their defaults.

Skip the Who tab, because we want this alert to trigger if anyone accesses the honeypot.

Select the server and honeypot directory in the Where tab.

DatAlert Where tab

In the What tab, select the events related to file and folder access.

DatAlert What tab

Skip to the Alert Method tab to set instructions for a response to tripping this alert. You can send emails, trigger alerts in SIEMs, or run a PowerShell script. We use scripts to disable user accounts and then power down their computers to remove them from the network.

Click Apply and wait for someone to fall into the honeypot.

Investigate the Incident

When a user trips the alarm, you can use the WebUI to create a total picture of their movements through your network. Non-malicious users will fall into the honeypot out of simple human curiosity. They will cause some false-positives. Diving into the alert details will help weed those out.

WebUI Honeypot Access alert

In the WebUI, set the activity filter to the user that fell into the honeypot.

WebUI filtered events

With a wealth of audit data, you can easily retrace the users’ steps. This forensic data is crucial to know for data breach notification requirements and can help remediate a cyberattack.

Better Security With Behavioral Analytics

Honeypots can be important tactical tools, but they aren’t adaptive, and you certainly don’t want to depend on honeypots to detect advanced threat actors. Dynamic, behavior-based threat models like the ones that come out-of-the-box with DatAlert are much better at detecting stealthy attackers with few false positives.

Rather than set up artificial honeypots, DatAlert can detect when users begin accessing real data in abnormal ways – such as a sysadmin reading the CEO’s inbox and marking messages as unread or a service account that is accessing sensitive Office documents then connecting to the internet for the first time.

Sign up for a Varonis demo to see how we approach cybersecurity differently.

We're Varonis.

We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

How it works