Honeypot deceives attacker trying to exploit Apache Struts Vulnerability

The Network: A technology provider with an on-site IT team. The Netsurion’s SIEM service supplements this team.

The Expectation: Robust and up-to-date (Antivirus, Next Gen Firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary.

The Catch: Netsurion’s security analysts detected an attempt from an IP Address in China, probing if an external facing server was vulnerable to the Apache Struts vulnerability (CVE-2017-5638), which has been disclosed as the reason behind the Equifax attack.

The Find: Netsurion’s security analysts observed an alarm from the Intrusion Detection System (ETIDS) that a packet originating from China signature matched an attempt to exploit CVE-2017-5638. The target machine was identified as an external facing Linux server. However, the joke was on the attacker, as this was not a real machine but in fact a honeypot deliberately placed in the external IP range of the network. This is part of Netsurion’s HoneyNet deception service. The objective was to lure attackers into attacking the honeypot thereby exposing themselves. This delays attackers as well as exposes them by their actions.

The Fix: Netsurion’s security analyst immediately notified the customer IT team who quickly blocked this attacker IP at the external firewall. Adding the attacker IP to the ACL of the external firewall probably won’t help as attackers change IP addresses frequently. The key highlight is that the honeypot was successful in delaying and confusing the attacker. Updated Intrusion Detection signatures also played a part in this case.

The Lesson: Deception is now an important element of a defense strategy. Attackers can be delayed, confused and redirected, thereby making them lose sight of the real objective. This gives defenders time to respond as well as mount additional security. Traditional signature-based defenses work well against known attacks and keeping them updated is an important element of modern network defense.