We needed it as bait for the attackers and as a means to support our own “work” in the decoy factory. This allowed us to share Honeypot network diagram with files with our honeypot via USB drives without leaving a trace on the honeypot network. We installed Windows 7 Pro as the OS for the file server, in which we created a shared folder that could be read and written by anyone.
Initially, we did not create any hierarchy whatsapp lead of folders and documents on the file server. However, later we discovered that attackers were actively exploring this folder, so we decided to fill it with various files. To do this, we wrote a python script that created a file of arbitrary size with one of the given extensions, forming a name based on the dictionary.
Indescribably attractive:
Script to generate attractive file names. Source: Trend Micro
After running the script, we got the desired result in the form. Therefore, of a folder full of files with very interesting names.
The output of the script. Source: Trend Micro
Monitoring environment
After spending so much effort creating a realistic company, we simply couldn’t afford to fail in the environment of monitoring our “visitors.” We needed to the importance of automating inventory control at the end of the year get all the data in real time without the attackers knowing they were being monitored.
We implemented this using four USB to Ethernet adapters, four SharkTap Ethernet taps, a Raspberry Pi 3, and a large external drive. Our network diagram looked like this:
Honeypot network diagram with monitoring equipment. Source: Trend Micro
We positioned three SharkTaps to monitor all external traffic to a PLC accessible only from the internal network. The fourth SharkTap monitored guest traffic on a vulnerable virtual machine.
SharkTap Ethernet Tap and Sierra Wireless AirLink RV50 router. Source: Trend Micro
The Raspberry Pi performs daily traffic capture. We connected to the internet using a Sierra Wireless AirLink RV50 cellular router, commonly used in industrial plants.
Unfortunately, this router did not allow us to selectively block attacks. Therefore, that did not fit our plans, so we added a Cisco ASA 5505 firewall to the network in transparent. Mode to perform blocking with minimal impact on the network.
Traffic analysis
Tshark and tcpdump are good for quick troubleshooting. Therefore, but in saudi data our case their capabilities were not enough, as we had many gigabytes of traffic that were being analyzed by several people. We used the open source Moloch analyzer developed by AOL. It is comparable in functionality to Wireshark, but has more capabilities for collaboration, describing and marking packets, exporting, and other tasks.