Administration Guides

How To Configure HoneyPot file Tripwire

Home



How to Configure Honeypot traps feature

This feature allows a new type of detection based on honeypot files placed anywhere in the file system.  This would be used where very sensitive data exists and will allow faster detection times for these locations in the file system.  They can be placed in as many locations as needed.   

  1. Can detect slow attack variants of Ransomware, or non-standard IO patterns.
  2. Detects file access to encrypt the file itself, and allows immediate critical lockout response.
  3. Can detect ransomware even when user behavior does not detect the initial attack pattern.
  4. Can reduce the number of files encrypted with any IO that touches these honeypot files, to reduce file system damage.

Overview

  1. Placed at the root of SMB or NFS mounts since this is the first place Ransomware can locate files since drive letters are mounted to the base of the SMB share.
  2. Uses files as bait for Ransomware, and detects atypical IO access patterns to any of the files in the folder along with many IO access patterns, to find variants that do not use a pattern previously seen before.  
  3. Needs only 1 Signal to raise a Security Event.  With Monitor Mode OFF / Critical Mode OFF one signal will place the event into the Major - DELAYED Lockout threshold.  With Monitor Mode OFF / Critical Mode ON one signal will place the event into Critical threshold for immediate lockout.


Requirements

  1. A minimum of 3 files should exist in the honeypot at the base of the share, to trip the detector.
  2. Each share that needs protection needs the files created
  3. Create honey pot files at the base of the share and in a subfolder for maximum protection. 


Configuration

Place the following files anywhere in the file system following the procedure below. From Windows Client repeat these steps on each SMB share that requires Honeypot files configured. 

Best Practice: Always create files at the base of the share and in at least 1 subfolder.

NOTE: The file pattern to match by default is *igls-honeypot-*


Files at Base of SMB Share Configuration

  1. Mount the SMB share where you want the honeypot files: smb01 (example share) to drive letter z:
  2. Using cmd command prompt cd to this mount point. e.g. Z:\
  3. Create 3 files under the SMB share with these exact names :
    1. igls-honeypot-1 
    2. igls-honeypot-2 
    3. igls-honeypot-3 

Sub Folder configuration

  1. Mount the SMB share where you want the honeypot files: smb01  (example share smb01 is /ifs/data/smb01 ) to drive letter z:
  2. Using cmd command prompt cd to this mount point. e.g. Z:\
  3. Created a folder name: igls-honeypot in this smb01 share (will be created with path: /ifs/data/smb01/igls-honeypot)
  4. Create 3 files under the igls-honeypot subfolder:
    1. igls-honeypot-1 - Path: /ifs/data/smb01/igls-honeypot/igls-honeypot-1
    2. igls-honeypot-2 - Path: /ifs/data/smb01/igls-honeypot/igls-honeypot-2
    3. igls-honeypot-3 - Path: /ifs/data/smb01/igls-honeypot/igls-honeypot-3

How change the file name used for Honeypot files

  1. Use this procedure to change the name of the honeypot file names needed for detection.
  2. Procedure:

    1. add the following to docker-compose.overrides.yml:

    2. nano /opt/superna/eca/docker-compose.overrides.yml 

    3. Paste the below text into the file and make sure the spaces are respected exactl as shown below.  Each indent is 2 spaces

version: '2.4'
services:
  fastanalysis:
    environment:
      - ECA_RWD_HONEYPOT_DIR_PATTERN
  1. add the following to eca-env-common.conf:   (note any file that contains the string below will trip the detector this string can be changed from this example)

  2. nano /opt/superna/eca/eca-env-common.conf 

    1. export ECA_RWD_HONEYPOT_DIR_PATTERN="file.docx"

  3. In this example you would create files named 1-file.docx, 2-file.docx  etc..

  4. Follow the steps above to create files at the base of a share and in a subfolder under the share.

  5. This will require a cluster down and up after the edits are complete
    1. ecactl cluster down
    2. then
    3. ecactl cluster up



Ransomware Defender for ECS - Honeypot Configuration

 

 

 

 

Object Honeypot configuration

 

  1. Create minimum 3 honeypot objects and place them directly under the bucket with the following naming convention
    1. igls-honeypot-1
    2. igls-honeypot-2
    3. Igls-honeypot-3
  2. NOTE: before creating those honeypot objects on ECS S3 bucket, it is recommended to disable the honeypot detection temporarily to avoid False Positive detection for honeypot during object creations. To disable that, follow this steps:
    1. From Eyeglass WebUI ⇒  Ransomware Defender ⇒  Settings ⇒ Threshold menu, select  Advanced radio button

 

    1. Then for THREAT_DETECTOR_11, set it to Disable

 

 

    1. Click Submit button to apply the new setting

 

 

 

  1. Then to create those honeypot objects, we can use S3 browser tools (e.g. Cyberduck) .
    1. Connect to ECS S3 bucket using Cyberduck (or other S3 browser tools. The following example is based on Cyberduck interface)
    2. Browse and go to bucket where we want to place those honeypot files
    3. Right click the space inside that bucket, and select from menu => New File and provide the name igls-honeypot-1.
    4. Repeat for igls-honeypot-2 and igls-honeypot-3
    5. Example

 

 

 

  1. Once created, it will be something like this:

 

 

 

 

 

  1. Repeat those  steps #2 and #3  to place honeypot object under different buckets that we want to protect with honeypot
  2. Once done, we need to set the THREAT_DETECTOR_11 back to ENABLE state:
    1. From Eyeglass ⇒ Ransomware Defender ⇒ Settings ⇒ Threshold menu, select  Advanced radio button

 

    1. Then for THREAT_DETECTOR_11, set it back to Enable

 

 

    1. Click the Submit button to apply.

 

 

 

How to test Object honeypot

The following steps are the two options to test honeypot

  1. Using Cyberduck, download those 3 honeypot objects to a local machine.
    1. Select those 3 honeypot objects and Right click and select Download from the menu

    1. Verify Ransomware Events from Active Events

 

 

  1. Using Cyberduck, delete those 3 honeypot objects from ECS S3 bucket
    1. Select those 3 honeypot objects and Right click and select Delete from the menu

 

 

    1. Verify Ransomware Events from Active Events

 

 

 

 

 

Ransomware Event for Object Honeypot

 

It needs only 1 Signal to raise a Security Event.  

    1. With Enforcement Mode : ON  and Critical on Mode :  OFF, one signal will place the event into the Major - DELAYED Lockout threshold.  

 

 

    1. With Enforcement Mode :  ON and  Critical on Mode : ON , one signal will place the event into the Critical threshold for immediate lockout.

 

© Superna Inc