Build & Monitor Honey Pots
Why Honey Pot?
For wasps it is not uncommon to prepare a trap with sweet water that they can get into but cannot get out of. Honey Potting in a computer or computer community, is a process of putting out some enticing file sets so that unwanted activity goes to that first and either gets caught there, detected there and/or slowed down there. This unwanted activity is at first a process at looking at things, being a voyeur to things that should not be seen. Next unwanted activity may be that new items are placed into a system either as modifications to existing pieces or as something new, hopefully to be lost within the thousands of other files on a computer. Honey Pots attempt to be this sort of attractive place for voyeurs and attackers. To this end "pots" are preferably positioned so that they are among the first things visited by a perpetrator based upon looking for valuable information or as they seek to improve their current access within a Computer Community.
Monitoring Pots
Different levels of expectations are possible with Honey Potting. Level 1 is to detect if someone is being a voyeur into parts of your computer Community that they should not be in. The Pot is essentially an area where nobody should be in. So if anybody is there then they are moving where they should not be. Level 1 monitoring of the pot is therefore to spot and report any and all access to any files in the pot. Level 1.5 Monitoring of the pot is to detect if they are doing anything more than just looking. If they are changing, adding or deleting files then that is unfounded and unacceptable behaviours. Level 2 monitoring is then based upon audit controls for the Pot that would allow the identification of the account that is performing this look and/or change activity. Level 3 actions with a Honey Pot,are to be able to "limit", "throttle", "track" or "ShutDown" unwanted activity and accounts.
The Provided Tools The tools provided allow a Computer Community or Computer to build Pots and Monitor them to the Level 1.5 directly. (Level 2 and 3 are facilitated by the structure developed but require changes to Audit policies for the Pot folders and organization policies on throttling or stoping account activity.
Execution in Scheduled Task %systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe
Attributes of Scheduled Task -executionpolicy Bypass -WindowStyle Hidden -file "yourlocation\HoneyPotMonitorControl.ps1"
The default actions are to use the locally placed manifest file and perform a PERIODCHECK review through the Scheduled Task and only email notifications when violations or anomalies occur. A review of 10+ pots takes less than 30 seconds considering about 5000 files. Scheduled Task setting can be adjusted accordingly.
Building Honey Pots
Building pots tries to place the pots as an early pick-up point and last pick-up point (in case they come in from the other direction) and pots in the middle as way points within the community. At a Community level a the Honey pots may be in dedicated VMs not used for any other purpose. In this way if a perpetrator is exploring machines they my gravitate to these and be detected. At a machine level it may be tha pots are placed high(0[zero]), low(Z) and middle in a FileSystem to catch activity within a computer. These pots are also a balance between numbers of folders and subfolder numbers of files and total storage needs in part to slow down any malicious activity on these locations.
Attractiveness of Pots is another factor. Sometimes attraction is based upon wanting valued information about customers, vendors, staff or finances. Things here that look like financial information, sales and histories can be prepared. Attractiveness is also for those seeking ways to improve their access and permissions on a machine or within a computer Community. Things here that appear to be admin tools and processes that might slip in passwords etc. are the other major attraction.
Features of what is generated in the build includes: