Cybersecurity

HopLab: creating highly interactive honeypots

Date:
Changed on 29/05/2024
In cybersecurity, a “honeypot” is a decoy that is installed on a network to divert attackers from their real target or to study their behaviour. At the Laboratoire de Haute Sécurité (LHS) in Rennes, scientists are developing a platform that will make it possible both to dynamically deploy a wide variety of baits and to better understand attackers’ tactics by giving them greater scope to interact with the systems they target, while observing them.
Recherche sur les logiciels malveillants afin de détecter au plus vite les infections - cybersécurité - Rennes
© Inria / Photo C. Morel

 

Professionalized. This is the word that is now being used to describe cybercrimie. Botnets, or zombies networks[1], are being produced on an industrial scale with the intention of infecting computer systems. In automatic mode, these bots search for doors. They sneak in. They hide. They spy. They steal files. They corrupt data. They hijack hard drives. They paralyse machines.

They target businesses, government departments, schools and hospitals. No sector is spared. And the number of victims keeps rising.

Schéma représentatif du nombre de tentatives d'intrusion sur un "pot de miel" /HopLab
© Inria / Alexandre Sanchez
Diagram showing the number of intrusion attempts on the “honeypot”.

Hence the need for scientists to gain a better understanding of this massive, multi-faceted threat. One way of doing this is to install what is known as a “honeypot” on machines: a decoy that can be used to observe the actions of the botnet or attacker. But this has major limitations. “In the current state of the art, these are low-interaction honeypots”, explains Alexandre Sanchez, research engineer at the LHS in Rennes. “Attackers think they are connecting to a machine. They can send a number of orders, but they are not connected to a real operating system. They will never gain administrator rights.” 

The advantage: “Nothing can go wrong. There is no risk.” The downside: “it doesn't go very far. In any case, not far enough to study the attacker’s behaviour in detail.”

 

To carry out more in-depth investigations, researchers are currently developing high-interaction honeypots. What is the difference ? 

We offer attackers a real operating system. We let them proceed. They can do many things. They may try to use the machine to mine Bitcoins. To host illegal content. To encrypt the hard drive. We can observe this behaviour in detail, but in complete security because, of course, we set the rules

Cartographie des origines des tentatives d'intrusion sur le "pot de miel"/HoneyPot
© Inria / Alexandre Sanchez
Mapping the origins of intrusion attempts on the honeypot

Deploying honeypots on the fly

Behind this first innovation lies a second. “We don't just want a standard, unalterable honeypot. We want to be able to deploy them dynamically, on the fly.” This would enable a very high degree of responsiveness.

Image
Portrait Alexandre Sanchez - cybersécurité
Verbatim

Vulnerabilities are regularly discovered. Last year, for example, a flaw was identified in Log4j, a small piece of code used by many websites, creating panic. When confronted with this kind of situation, we want to be able to snap our fingers and build and deploy a honeypot containing this vulnerability

Auteur

Alexandre Sanchez

Poste

Research engineer at the High Security Laboratory (LHS)

Or better still: “develop a variety of honeypots incorporating the flaw, including Windows environments and Linux environments.”

Using high-level procedures, the challenge for the new HopLab platform is to automatically generate a credible, controlled vulnerability scenario with a high degree of variability. “For the time being, we have only implemented a small number of these high-level procedures. Our idea is to reach a stage where we can click to choose several procedures from a list and our tool will generate these vulnerabilities in a whole series of honeypots in different environments. We could even open it up to a community of users wishing to contribute to these studies.”

Taking part in a “Capture the Flag” event

To further develop HopLab, the researchers will also be using “capture-the-flag” (CTF) exercises. These sessions enable a red team to launch attempted intrusions on a system monitored by a blue team. During its spring science days, CyberSchool in Rennes organised an exercise of this kind called CERBERE. On this occasion, around twenty participants worked with the platform, interacting with ten vulnerable infrastructures designed especially for the occasion and randomly based on the same vulnerabilities.

Four doctoral students were involved. “The first worked on the automated generation of vulnerable environments from high-level descriptions. The second on analysing execution traces. The third on fault-finding. And the fourth on analysing network traces. This gave us the full range of activities that interest us.

 


[1]A botnet is a network of Internet-connected programs that communicate with other similar programs to perform various tasks. Some of these networks are used for malicious purposes. A zombie network is a computer system controlled by a cybercriminal without the knowledge of its legitimate user.

 

Visuel
Miniature podcast Alexandre Sanchez - cybersécurité
Titre du lecteur

Find out more about the HopLab project with Alexandre Sanchez (in french)

Fichier audio
Audio file

Breizh CTF 2024: France's biggest IT security competition

Inria is taking part in the Breizh CTF on May 17, 2024. The PIRAT team will be proposing a CTF challenge that will enable us to collect new data to advance research! Our teams will also be on hand to talk cybersecurity and recruitment!