Label

Honeypots and 
Honeyfiles

A honeypot is a system that cybersecurity professionals create deliberately to attract malicious attacks.
Home » How To Prevent Ransomware? » Threat Hunting » Honeypots and Honeyfiles

In This Section

What Are Honeypots 
and Honeyfiles?

A honeypot is a system that cybersecurity professionals create deliberately to attract malicious attacks. These systems look like regular servers or user systems, with contents or services that appeal to attackers, but actually aren’t used at all by the organization for any purpose. The organization simply monitors the honeypots carefully to see whose trying to get access to them and what the intruders are trying to do.
Honeypots are sometimes a controversial security practice. Security teams are often attracted to honeypots because they’re “cool” and, when configured correctly, can provide valuable alerts that an attacker is in the network. The concern is when security teams rely on honeypots as their primary source of alerting on a potential intruder rather than one of many alerting solutions.
The “coolness factor” of honeypots gets more attention than the much harder work of properly configuring the honeypots to deliver alerts in a timely manner with few false positives. Of course, it’s not just a matter of configuring and collecting alerts: Organizations also must know where to place honeypots in the network so they’ll be attractive to ransomware actors. Finally, honeypots work well only as part of a comprehensive security strategy. It’s important to understand where honeypots fit in and what they can and cannot do to help protect against ransomware.
Pay Attention

External-Facing Honeypots

A lot of security vendors and security organizations set up external-facing honeypots to understand what types of exploits and other attacks ransomware (and other) groups are using. These types of honeypots, like those run by The DFIR Report, can provide valuable intelligence. These types of honeypots require substantially more effort to maintain and keep running. While they can provide invaluable intelligence to the community, they’re outside the scope of most organizations.
The focus of this page is on using honeypots for detection of ransomware attacks in progress. These types of honeypots, in conjunction with other security measures, improve your chance of detecting a ransomware actor on the network.

Honeypots As Effective 
Alerting Tools

As ransomware attacks have evolved, honeypots have become increasingly effective tools for catching ransomware actors before they execute the ransomware. In 2015 and 2016, when ransomware was primarily automated malware that attacked a single machine at a time, honeypots offered little value from a detection standpoint. Since today’s ransomware involves both gaining access to multiple systems on the network and exfiltrating files, honeypots are a much more important layer of security because they can alert to lateral movement and files being accessed and removed from the network.

One way honeypots can be useful ...

... in detecting a ransomware attack early is shown in the diagram below. As you can see, the organization has several Remote Desktop Protocol (RDP) servers connected to the network, and are isolated on their own network segment. There are some legitimate workstations on that same segment, but there are also two honeypot servers. One of the servers is set up to look like a file server, the second a backup server. Both of these will likely be very attractive to a ransomware actor.
Both honeypots can be set up to send an alert to the SIEM anytime someone tries to access either one, creating an early warning that there’s likely an intruder in the network. In addition, honeyfiles have been set up on all of the RDP servers. These files aren’t accessed by legitimate users, but an Initial Access Broker (IAB) or ransomware actor is going to want to explore the server and likely access those files, if they have attractive enough file names (e.g., passwords-to-access-network.xlsx).
Sample honeypot network designed to detect ransomware actors during the reconnaissance stage
The diagram above is one example where honeypots and honeyfiles can be useful in an isolated network segment. But what about a network segment that has a lot of real endpoints and servers on it—how effective are honeypots in that environment?
Setting up honeypots on a primary network
Honeypots can actually be surprisingly effective, even on busy networks, if they’re placed correctly. The diagram above shows a network that employs decoy honeypots specifically to attract ransomware actors.

There are honeypot services that can ...

... help obfuscate the real Domain Controllers (DCs) so that legitimate employees connect to the correct one, while ransomware actors spend time connecting to the honeypot DC. Again, the goal is to deploy honeypots in a way that makes the honeypot attractive to ransomware actors without disrupting employee workflow.
It might be tempting to provide employees with a list of honeypots on the network so employees can avoid them. Security teams should resist that temptation, because communicating any information like that might wind up tipping off a ransomware actor, as well. As few people as possible should know about honeypot and honeyfile deployments in order to maximize their effectiveness.
food for thought

Not Too Obvious

There’s a delicate balance required when naming honeypots and honeyfiles. You certainly want something attractive to the ransomware actor, but not so obvious that it raises suspicion. Similar to the iocaine powder scene in the movie “The Princess Bride,” you don’t want to overthink the naming conventions.
Ransomware groups are aware that organizations sometimes deploy honeypots, so they’re on the lookout for them. While you want to avoid giving honeypots names that are too obvious, such as allthebankaccounts.xlsx or ALLTHEBANKINGSTUFF, don’t make it difficult to find the systems or files, either.

High, Medium, 
or Low

Interaction with services on honeypots falls into three levels: high, medium, and low.

High-interaction honeypots closely emulate ...

... the service they’re pretending to be. A high-interaction DC honeypot, for example, allows an attacker to authenticate and runs services similar to a DC, such as authenticating fake users and generating logs. High-interaction honeypots can be complex to set up and require maintenance to keep them running but can provide a great deal of intelligence about an attacker as they interact with the honeypots.
Low-interaction honeypots do very little with the ransomware attacker. Generally, these honeypots offer open ports that many ransomware (and other) actors are looking for and provide a correct response and often a login prompt.

Medium-interaction honeypots allow ...

... organizations to do things like adjust the response given for a port. If an organization wants a service to appear to be a vulnerable version of that service, they can adjust the response and capture the incoming traffic from exploits. Medium-interaction honeypots can also present login prompts, but generally don’t have login services.
Most organizations, unless they’re trying to create complex deception networks, are able to get by with either low-interaction or medium-interaction honeypots. This certainly applies to organizations looking for alerts that complement existing alerts denoting potential ransomware attackers.

Get More Ransomware 
Preparedness Tips

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too.

Building a Honeypot

Creating a honeypot used to be a complex task that involved a lot of maintenance to keep them up and running and prevent them from becoming more of a security liability than an enhancement. As the deception market has grown from just over $1 billion in 2016 to over $2 billion in 2021, solutions to creating honeypots have gotten simpler.

There are a large number of open source ...

... honeypots, many of which are cataloged at the Honeynet Project. There has also been an explosion in commercial solutions. These solutions are easy to set up, with many vendors bragging that organizations can have a honeypot up and running in a few minutes. Commercial honeypot offerings are an attractive option to many organizations.
KFSensor, developed by KeyFocus Ltd., is one commercial honeypot solution that many organizations use. It’s an attractive choice because of the ease of setup and the ability to alert on common lateral movements employed by ransomware actors.

KFSensor detecting a network query ...

... sent over TCP port 135, which is used by tools such as PSExec and Windows Management Interface Command (WMIC), is shown in the screenshot below. In this particular case, the command run from another Windows server was:
C:Windowssystem32cmd.exe /C wmic /node:"ALLAN" process call create "C:1.exe"
This command pushes the ransomware PE from one machine to another on the network, and ransomware threat actors will often use this command, or similar ones, for this purpose. This is, obviously, a detection in the late stages of a ransomware attack.
Detecting attempts to use WMIC to copy over a file using KFSensor

The nice thing about KFSensor, and...

... other honeypot solutions, is that organizations can customize the type of traffic or activity on which the honeypot will alert. On a clean network that has excluded the honeypots from normal network maintenance, you might want to alert on any traffic to TCP port 135, but on a noisier network you might want to alert only on specific activities on TCP port 135 that are common to ransomware actors.
The capture traffic from the alert in KFSensor platform

The alert in more detail, including the traffic captured ...

... during the alert to show what type of data can be captured by a honeypot is shown in the screenshot above. Alerts from the honeypot can be viewed in the console of the honeypot manager directly or sent to a SIEM. Well-tuned honeypots can serve as high-priority alerts in the SIEM, but honeypots shouldn’t generate anywhere near the same volume of logs as Windows Event logging or Sysmon. This taciturnity makes it easier to filter out false positives until the only alerts generated indicate an attack.
Organizations that are unsure how to create signatures that don’t generate a lot of false positives can look at information published from known ransomware attacks. Companies such as FireEye, Red Canary, and (previously mentioned) The DFIR Report publish extensive reports on ransomware attacks that list commands used by the ransomware actor during the attack. The Cybersecurity and Infrastructure Agency (CISA) has also published a number of bulletins that contain this type of information, as do industry-specific Information Sharing and Analysis Centers (ISACs).
School house

The Story You’re About To Hear Is True

The story in this section is based on a real-life incident. A security manager had used a Thinkst Canarytoken embedded in a Word Document as a honeyfile. The manager named the file passwords.docx and filled it with hundreds of fake username/password combinations to increase the size of the file and make it more attractive.
One Saturday night, the manager received an email alert that the file had been opened, in Ukraine. The manager called the Security Operation Center (SOC) to ask whether they had detected any malicious activity on the network, but they hadn’t. Out of an abundance of caution, they activated the organization’s incident response (IR) company, which came onsite early Sunday morning.
After a few hours of hunting, the IR team found evidence of a ransomware attack in progress. The IR company was able to stop the attack before anything was encrypted, although after files had been exfiltrated. The manager also realized that the SOC had to do more detection tuning.

Creating a Honeyfile

In addition to honeypots, many organizations use honeyfiles ...

... to detect exfiltration attempts. Like honeypots, honeyfiles are designed to be attractive to intruders, but not necessarily to employees or other users who have legitimate access to the system.
As an example, the honeyfiles on the Internet-facing RDP servers back in the first diagram above wouldn’t be accessed in the same way by legitimate employees of the organization and ransomware threat actors. Employees would normally connect to the RDP server and use that access to get to their ultimate destination in the network, but a ransomware actor would likely poke around the system, looking for files with interesting names, like “passwords,” that would likely be irresistible to ransomware groups.
The "Anatomy of a Modern Ransomware Attack" page discusses specific keywords that ransomware actors search for when looking for files on the victim network:
cyber
policy
insurance
endorsement
supplementary
underwriting
terms
bank
2020
2021
statement

These keywords could potentially be ...

... excellent lures for ransomware actors looking for files. The trick is to think like a ransomware actor and come up with file names that will play on their greed or desire for a shortcut to deploying the ransomware. It’s basically using the same playbook that ransomware groups use in phishing attacks but turning the tables.

One popular way to create quick and easy ...

... honeyfiles is by using Canarytokens from Canary. Canarytokens is a free tool that embeds a beacon into a document, such as Microsoft Word, Microsoft Excel, Adobe Acrobat, images, directory folders, and more. Any time a Canarytoken is accessed, it generates an email or web-based alert.
Canarytokens are an easy way to detect potential exfiltration by a ransomware (or other) actor. Simply place the file created on the Canarytokens website in a folder that would be attractive to a ransomware actor and unlikely to be accessed by an employee (see image below). If the file is placed correctly, an alert should be generated only if the file is accessed by a malicious actor. There may be some trial and error involved in placing the file in a way that it isn’t accessed by employees.
Placing the Canarytoken in a folder where it will be seen by ransomware actors
When the Canarytoken is triggered, it generates an alert similar to the screenshot below that provides the owner of the token with the time, date, and location of the triggered file. In this case, the file was accessed from IP address 5[.]8[.]16[.]167.
An alert triggered by someone opening the Microsoft Word Canarytoken
A quick Whois search of RIPE’s database, seen in the image below, shows that the file was opened in Russia, which is likely a really bad sign.
Whois search of the IP address included in the triggered alert

Canary tokens work so well because ...

... ransomware actors often lack discipline when it comes to exfiltrating files, as shown in the “School House” callout in this section. This is especially true if the ransomware actor thinks those files are going to help them move throughout the victim’s network more easily.
But not all ransomware actors lack discipline, which is one of the drawbacks to using Canarytokens in files: The files have to be opened on a system that has Internet access in order for the token to be activated. If a ransomware actor opens a honeyfile on a system that isn’t connected to the Internet or waits until after the ransomware is deployed before opening the honeyfile, the triggered alert either never arrives or arrives too late.
One way to enhance the effectiveness of honeytokens is to create Windows event alerts when the honeyfiles are accessed. This can be done by enabling “Audit File System” in Windows Event logging and then alerting on the following events triggered by honeyfiles, as listed in the table below.
Windows events triggered by honeyfiles 
Similar to the other alerts, if honeyfiles are properly placed in the directory, these events should be rare and generate few false positives. You’ll probably have to change backup and other file scanning software to skip these files, or the folders they’re in, or ignore alerts from those tools.
Warning

Honeypots and Honeyfiles Alone 
Are Not Enough

Remember, not every ransomware group exfiltrates files. Even groups that conduct manual ransomware operations don’t always exfiltrate files. For example, there have been no reports to date that the group behind Ryuk ransomware steals files during an attack.
Although honeyfiles can be a powerful tool for detecting ransomware attacks, they don’t help detect all ransomware attacks. Honeyfiles rely on the file being accessed, moved, or even opened before they generate an alert. As has been discussed, not all ransomware groups do this, and there’s no guarantee a ransomware group will spot a specific honeyfile. This is why they must be used as part of a comprehensive ransomware detection program, similar to the strategies discussed elsewhere on this site.

Taking Action on Alerts

As with other security measures ...

... discussed throughout this site, honeypots and honeytokens are effective only if action is taken on the alerts they generate. Organizations that are planning to incorporate honeypots and honeytokens into their ransomware security regimen need to consider how alerts are generated from those systems. Ideally, those alerts should be sent to a central logging system, such as a SIEM, rather than relying solely on administrators retrieving alerts from the honeypot or honeyfile console.
If alerts can’t be logged, the organization must account for alerts being generated outside of the normal channels and needs a plan to make sure alerts are being regularly monitored. This is true for all security tools, but especially for honeypots and honeytokens. Properly configured, these tools offer credible indications of an active ransomware attack in progress. But seeing the alert days or weeks after it was sent is likely too late to stop the ransomware attack.

If You Liked This... 

Get The "Go-To" Ransomware Resource. The 437 Page Book Ransomware: Understand. Prevent. Recover.  
- Second Edition

GET IT HERE
Ransomware Book 2nd Edition 2023

Download The 
"How To Prevent Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Prevent Ransomware" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT "THIS IS YOUR LAST CHANCE"
© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram