Last updated at Wed, 29 Nov 2023 00:09:01 GMT

In order to overcome the adversary, we must first seek to understand. By understanding how attackers operate, and what today’s modern network looks like from an attacker’s perspective, it’s possible to deceive an attacker, or at least have warning around internal network compromise. Today, let’s touch on a classic deception technology that continues to evolve: the honeypot.

Honeypots are decoy systems, deployed alongside production systems with the intent of tricking attackers into interacting with them. By deceiving an attacker into carrying out his/her attack on a non-critical, well-monitored system, valuable insight can be gained into their attack methods, and information can be gathered for forensic or legal purposes.

Setting up a honeypot can help you:

  • Divert attackers
  • Detect malicious traffic
  • Receive early warning of attack
  • Deception technology, including honeypots, come ready to use out of the box in InsightIDR, Rapid7’s threat detection and incident response solution. This blog post will focus on setting up and testing a low-interaction honeypot in InsightIDR.

    Honeypots should mimic production systems in order to provide value as a true deception technology. InsightIDR’s honeypot is downloaded as an OVF file and requires the following specifications:

    • 1 CPU
    • 1GB RAM
    • 10GB Disk Space

    How to Deploy a Honeypot in InsightIDR

    Download the Honeypot

    1. From the InsightIDR homepage, navigate to the top right:Click to Setup under Honeypots

    2. From the top right corner of the page:Click Download Honeypot

    3. Launch the virtual machine using the honeypot-collector.ovf file downloaded from InsightIDR.

    Set Up the Honeypot

    In order for the honeypot to work effectively, set up the honeypot with a naming convention that matches your environment. Please be sure to use the Fully Qualified Domain Name (FQDN).

    Things to consider before setting up a honeypot include:

    • Are you going to use a static IP address?
    • Do you have a static DNS server?
    • Do you have a proxy?

    Steps to Set up and Activate a Honeypot

    1. Choose a hostname. 2. Identify if the IP address is static, if there is a static DNS server, or an applicable proxy server.
    1. You should now see an agent key in the honeypot.

    2. Enter the agent key into InsightIDR, and click Activate.

    Test the Honeypot

    Now that the honeypot is set up, here is how we can test it. (Note: An alert should trigger when you test the honeypot.)

    Initiate nmap to simulate internal network reconnaissance on your network.

    If deployment is successful, a “Honeypot Access” alert will appear in Investigations.

    Permit Vulnerability Scanners

    If you perform regular vulnerability scans, chances are you don’t want to receive those alerts every time. You can permit the vulnerability scanner by selecting “Close” on the alert, then by selecting “Ignore honeypot connection attempts from this asset.”

    Not yet an InsightIDR user?

    If you’re still reeling from a previously failed SIEM deployment, InsightIDR has abstracted out all of the pain points of traditional [SIEM](https://www.rapid7.com/fundamentals/siem/) tools (like buying and managing hardware, poor UX, and writing and tuning detection rules). Even more, it’s a cinch to deploy, as InsightIDR does all the heavy lifting and all that’s required from you is a few clicks of a button to be off the ground running.