Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more
Blog Data Security

Detecting Honeypot Access With Varonis

Honeypots are traps that the Blue Team (defenders) plant to catch potentially bad actors trying to exploit a vulnerability, snoop for data, or escalate privileges. Since a honeypot is a decoy,...
Michael Buckbee
3 min read
Last updated June 16, 2023

Contents

    Honeypots are traps that the Blue Team (defenders) plant to catch potentially bad actors trying to exploit a vulnerability, snoop for data, or escalate privileges. Since a honeypot is a decoy, any access to it should raise a red flag.

     

    Honeypots can be an intentionally unpatched server on the internet. For example, researcher Kevin Beaumont set up a network of vulnerable Exchange Servers he calls “ MailPot” in order to see who is trying to exploit the ProxyLogon CVEs. When he gets a “hit” on his honeypot, he can then observe the tactics, techniques, and procedures of the attackers in a controlled environment.

     

    Get a Free Data Risk Assessment

    Honeypots don’t have to be servers. They can take the form of folders or SharePoint sites with sensitive-looking data, a fake Active Directory group that grants “privileged” access, an “executive” email box, or even a Microsoft Teams channel that has fake data and conversations. The goal of the honeypot is to draw attention, so anything that looks like sensitive data or a potential pathway to sensitive data can work.

    With Varonis, you can create custom real-time alerts to trigger whenever there’s activity on your honeypot, giving your Incident Response team a heads up that someone is snooping around the network. Varonis’ robust audit trail can help you quickly investigate whether that access is innocuous or concerning so that you can act quickly to prevent real sensitive data compromise.

    This blog will show you how to set up a Varonis alert on a honeypot and track down a potential threat using the Varonis audit data and forensics capabilities.

    Creating the Honeypot with a Custom Real-Time Alert

    DatAlert provides the threat detection capabilities to the Varonis Data Security Platform. In addition to the advanced user behavior analytics and pre-built threat models, you can also create custom alerts.

    First, you need to create a honeypot. There are several kinds of honeypots, and you can read this academic research all about them. We will use a low-interaction honeypot for our purposes today, which is an enticing-looking file in an insecure folder.

    Our Honeypot isn't suspicious at all

    Second, you need to create a custom alert on your honeypot.

    In DatAdvantage, select the Tools on the menu bar and then DatAlert to open the DatAlert configuration dialog.

    Create the New Rule with the Green Plus button

    Click the green plus to open the dialog to add a new alert.

    DatAlert General Tab

    In the General tab, enter the new rule name, select the severity, which for a honeypot should be “4-Warning.” Select your Alert Category and the type of resource where your honeypot lives in the Resource Type drop-down – I selected “Lateral Movement.” You can leave the rest of the options at their defaults.

    Skip the Who tab, because we want this alert to trigger if anyone accesses the honeypot.

    Select the server and honeypot directory in the Where tab.

    DatAlert Where tab

    In the What tab, select the events related to file and folder access.

    DatAlert What tab

    Skip to the Alert Method tab to set instructions for a response to tripping this alert. You can send emails, trigger alerts in SIEMs, or run a PowerShell script. We use scripts to disable user accounts and then power down their computers to remove them from the network.

    Click Apply and wait for someone to fall into the honeypot.

    Investigate the Incident

    When a user trips the alarm, you can use the WebUI to create a total picture of their movements through your network. Non-malicious users will fall into the honeypot out of simple human curiosity. They will cause some false-positives. Diving into the alert details will help weed those out.

    WebUI Honeypot Access alert

    In the WebUI, set the activity filter to the user that fell into the honeypot.

    WebUI filtered events

    With a wealth of audit data, you can easily retrace the users’ steps. This forensic data is crucial to know for data breach notification requirements and can help remediate a cyberattack.

    Better Security With Behavioral Analytics

    Honeypots can be important tactical tools, but they aren’t adaptive, and you certainly don’t want to depend on honeypots to detect advanced threat actors. Dynamic, behavior-based threat models like the ones that come out-of-the-box with DatAlert are much better at detecting stealthy attackers with few false positives.

    Rather than set up artificial honeypots, DatAlert can detect when users begin accessing real data in abnormal ways – such as a sysadmin reading the CEO’s inbox and marking messages as unread or a service account that is accessing sensitive Office documents then connecting to the internet for the first time.

    Sign up for a Varonis demo to see how we approach cybersecurity differently.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
    Michael Buckbee
    Michael Buckbee Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    how-honeypots-unmask-hackers-&-scammers-online
    How Honeypots Unmask Hackers & Scammers Online
    how-honeypots-unmask-hackers-&-scammers-online
    Kody Kinzie
    March 29, 2020
    How defenders use honeypots to unmask hackers, scammers, and internet catfish with tracking links
    lessons-learned-from-mat-honan's-epic-hacking
    Lessons Learned from Mat Honan's Epic Hacking
    lessons-learned-from-mat-honan's-epic-hacking
    Rob Sobers
    August 8, 2012
    ” Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.” If you haven’t read Gizmodo writer Mat Honan’s...
    threat-update-#12---does-zerologon-change-the-game?
    Threat Update #12 - Does Zerologon Change the Game?
    threat-update-#12---does-zerologon-change-the-game?
    Kilian Englert
    November 6, 2020
    Cybercriminals are using the Zerologon exploit to fast track lateral movement and privilege escalation. If left unpatched, the exploit lets attackers use the password of the primary domain controller to...
    windows-defender-turned-off-by-group-policy-[solved]
    Windows Defender Turned Off by Group Policy [Solved]
    windows-defender-turned-off-by-group-policy-[solved]
    Michael Buckbee
    June 17, 2020
    Windows Defender is a common AV solution, and attackers know how to work-around it. Learn how to turn Defender back on with this easy tutorial.