Administration Guides

How To Configure HoneyPot file Tripwire

Home



How to Configure Honeypot traps feature

This feature allows a new type of detection based on honeypot files placed anywhere in the file system.  This would be used where very sensitive data exists and will allow faster detection times for these locations in the file system.  They can be placed in as many locations as needed.   

  1. Can detect slow attack variants of Ransomware, or non-standard IO patterns.
  2. Detects file access to encrypt the file itself, and allows immediate critical lockout response.
  3. Can detect ransomware even when user behavior does not detect the initial attack pattern.
  4. Can reduce the number of files encrypted with any IO that touches these honeypot files, to reduce file system damage.

Overview

  1. Placed at the root of SMB or NFS mounts since this is the first place Ransomware can locate files since drive letters are mounted to the base of the SMB share.
  2. Uses files as bait for Ransomware, and detects atypical IO access patterns to any of the files in the folder along with many IO access patterns, to find variants that do not use a pattern previously seen before.  
  3. Needs only 1 Signal to raise a Security Event.  With Monitor Mode OFF / Critical Mode OFF one signal will place the event into the Major - DELAYED Lockout threshold.  With Monitor Mode OFF / Critical Mode ON one signal will place the event into Critical threshold for immediate lockout.


Requirements

  1. A minimum of 3 files should exist in the honeypot at the base of the share, to trip the detector.
  2. Each share that needs protection needs the files created
  3. Create honey pot files at the base of the share and in a subfolder for maximum protection. 


Configuration

Place the following files anywhere in the file system following the procedure below. From Windows Client repeat these steps on each SMB share that requires Honeypot files configured. 

Best Practice: Always create files at the base of the share and in at least 1 subfolder.

NOTE: The file pattern to match by default is *igls-honeypot-*


Files at Base of SMB Share Configuration

  1. Mount the SMB share where you want the honeypot files: smb01 (example share) to drive letter z:
  2. Using cmd command prompt cd to this mount point. e.g. Z:\
  3. Create 3 files under the SMB share with these exact names :
    1. igls-honeypot-1 
    2. igls-honeypot-2 
    3. igls-honeypot-3 

Sub Folder configuration

  1. Mount the SMB share where you want the honeypot files: smb01  (example share smb01 is /ifs/data/smb01 ) to drive letter z:
  2. Using cmd command prompt cd to this mount point. e.g. Z:\
  3. Created a folder name: igls-honeypot in this smb01 share (will be created with path: /ifs/data/smb01/igls-honeypot)
  4. Create 3 files under the igls-honeypot subfolder:
    1. igls-honeypot-1 - Path: /ifs/data/smb01/igls-honeypot/igls-honeypot-1
    2. igls-honeypot-2 - Path: /ifs/data/smb01/igls-honeypot/igls-honeypot-2
    3. igls-honeypot-3 - Path: /ifs/data/smb01/igls-honeypot/igls-honeypot-3

How change the file name used for Honeypot files

  1. Use this procedure to change the name of the honeypot file names needed for detection.
  2. Procedure:

    1. add the following to docker-compose.overrides.yml:

    2. nano /opt/superna/eca/docker-compose.overrides.yml 

    3. Paste the below text into the file and make sure the spaces are respected exactl as shown below.  Each indent is 2 spaces

version: '2.4'
services:
  fastanalysis:
    environment:
      - ECA_RWD_HONEYPOT_DIR_PATTERN
  1. add the following to eca-env-common.conf:   (note any file that contains the string below will trip the detector this string can be changed from this example)

  2. nano /opt/superna/eca/eca-env-common.conf 

    1. export ECA_RWD_HONEYPOT_DIR_PATTERN="file.docx"

  3. In this example you would create files named 1-file.docx, 2-file.docx  etc..

  4. Follow the steps above to create files at the base of a share and in a subfolder under the share.

  5. This will require a cluster down and up after the edits are complete
    1. ecactl cluster down
    2. then
    3. ecactl cluster up
© Superna LLC