Setting Up Malware Honeypots
A honeypot is a computer system that is set up as a decoy to tempt cyber-attackers and to detect, deflect or study attempts to gain unauthorized access to information systems. Generally, it consists of a computer, applications, and data that simulate the behavior of a real system that appears to be part of a network but is actually isolated and closely monitored.
NOTE: Legitimate users have no reason to access a honeypot. All communications with honeypots are considered hostile.
Viewing and logging this activity can provide an insight into the level and types of threats that a network infrastructure faces, while distracting attackers away from assets of real value.
Raz-Lee's malware honeypot mechanism generates honeypot files that:
- Allow the users to discover where such fake targets are required and to control their implanting repositories.
- Even if they are copied or distributed or their contents or names are altered, will always be recognized by Raz-Lee'sAnti-Ransomware software.
- Like all other Anti-Ransomware mechanisms, are not inspected based on single events but related to the rhythm of occurrences.
To set up and manage honeypots, select 1. Deploy Honeypots from the Malware Honeypots screen (STRAR > 7) as shown in Starting Anti-Ransomware. The Deploy Honeypots screen appears:
| Deploy Honeypots List the directory tree and show the number of honeypot files (H-P) files that exist in it and in any of its sub-directories. Start at directory . . . . Selecting a high level directory may increase loading time. Subset by: Directory name contains . Directories without H-P . Y=Yes, N=No, A=All F3=Exit |
To search a directory for honeypots, enter the pathname of the directory to be searched in the Start at directory field. (The field wraps over five lines, allowing for a very long pathname.) Search as specifically as you can, since searching at too high a level can take a long time.
To specify subdirectory names that contain a particular string, enter that string in the Directory name contains field.
To specify whether to display subdirectories with or without honeypots, enter one of these values in the Directories without H-P field:
- Y: Only list directories without honeypots.
- N: Only list directories with honeypots.
- A: List all directories.
To run the search, press Enter.
A second Deploy Honeypots screen appears:
| Deploy Honeypots Start Dir: /tmp Type choices, press Enter. 1=Work with H-P 4=Remove H-P 6=Add H-P 8=WRKLNK 9=Set as Start Dir Filter by name . . File-Count Missing H-P A Y, N, A=All Opt H-P Other Folder Window. . . 1 72 /tmp/ 44 3 /tmp/.com_ibm_tools_attach/ 7 /tmp/tstaud/ 3 /tmp/tstaud/.com_ibm_tools_attach/ 2 /tmp/tstaud/.com_ibm_tools_attach/1374741/ 2 /tmp/tstaud/.com_ibm_tools_attach/1398595/ 2 /tmp/tstaud/.com_ibm_tools_attach/851898/ 2 /tmp/tstaud/.com_ibm_tools_attach/851915/ 2 /tmp/tstaud/.com_ibm_tools_attach/852048/ 2 /tmp/tstaud/.com_ibm_tools_attach/852049/ Bottom F3=Exit F12=Cancel F13=Repeat F14=End repeat F19=Left F20=Right F22=Display entire name |
The body of the screen lists the directory that you specified and subdirectories within it. After the standard Opt column, each line shows, for one of the folders:
Count of H-P
The number of honeypot files in the directory
Count of Other
The number of files in the directory that are not honeypots.
Folder
The pathname of the directory. If the name is truncated, to see the full name, place the cursor in the Opt field on that line and press the F22 (Shift+F10) key.
In the example, the /tmp/.com_ibm_tools_attach/ subdirectory of the /tmp starting directory contains 44 honeypot files and 3 other files.
To add the default honeypot files (as defined on the Work with Default Honeypot Files screen, shown in Managing Default Honeypot Files) to a directory, enter 6 in the Opt field of that line.
To remove all honeypot files from a directory, enter 4 in the Opt field of that line.
To limit the list to only the subdirectories of one of the displayed directories, enter9 in the Opt field of that line.
To modify the set of honeypot files in a directory, enter 1 in the Opt field of that line. The Work with Honeypot Files in a Directory screen appears:
| Work with Honeypot Files in a Directory Dir: /tmp/.com_ibm_tools_attach/ Type choices, press Enter. 1=Work with 3=Copy 4=Remove 7=Rename 8=WRKLNK Opt Type Object *STMF #CLIENT54.docx *STMF 2016.xlsx *STMF 2017.xlsx *STMF Balance2017.xlsx *STMF BalanceCaptl.xlsx *STMF Business2017.xlsx *STMF Business5y.xlsx *STMF Bussines2y.xlsx *STMF Bussines3y.xlsx *STMF Bussinesy4.xlsx *STMF CLIENT 1.docx *STMF CLIENT 2.docx More... F3=Exit F12=Cancel F22=Full path |
The body of the screen lists the honeypot files in the directory. For each, after the standard Opt field, it shows the Type of the file and the file's name. If the name is truncated, to see the full name, place the cursor in the Opt field on that line and press the F22 (Shift+F10) key.
To copy a file, enter 3 in the Opt field for that file. The Copy Object (CPY) screen appears. The screen shows three fields:
- Object: (Read-only) The pathname of the current file
- To object: A copy of the pathname, which you can alter to be the pathname of the new object
- Authority: One of these options:
*OBJ
The authority information for copied objects is based on the authority for the object to be copied.
*INDIR
The authority information for copied objects is based on the authority for the directory to which the file is to be copied.
*INDIROBJ
The authority information for copied objects is initially based on the authority for the directory to which the file is to be copied. Then authority information from the object to be copied is assigned to the target object.
To remove a file, enter 4 in the Opt field for that file. The Remove Link (DEL) screen appears, in which you can confirm that you want to remove the file.
To rename a file, enter 7 in the Opt field for that file. The Rename Object (REN) screen appears, in which you can enter the new name of the file.
To perform other operations on the file, enter 1 in the Opt field for that file. The standard IBM WRKLNK screen appears.