HopLab: creating highly interactive honeypots

Professionalized. This is the word that is now being used to describe cybercrimie. Botnets, or zombies networks^[1], are being produced on an industrial scale with the intention of infecting computer systems. In automatic mode, these bots search for doors. They sneak in. They hide. They spy. They steal files. They corrupt data. They hijack hard drives. They paralyse machines.

They target businesses, government departments, schools and hospitals. No sector is spared. And the number of victims keeps rising.

© Inria / Alexandre Sanchez

Hence the need for scientists to gain a better understanding of this massive, multi-faceted threat. One way of doing this is to install what is known as a “honeypot” on machines: a decoy that can be used to observe the actions of the botnet or attacker. But this has major limitations. “In the current state of the art, these are low-interaction honeypots”, explains Alexandre Sanchez, research engineer at the LHS in Rennes. “Attackers think they are connecting to a machine. They can send a number of orders, but they are not connected to a real operating system. They will never gain administrator rights.” 

The advantage: “Nothing can go wrong. There is no risk.” The downside: “it doesn't go very far. In any case, not far enough to study the attacker’s behaviour in detail.”

To carry out more in-depth investigations, researchers are currently developing high-interaction honeypots. What is the difference ? 

We offer attackers a real operating system. We let them proceed. They can do many things. They may try to use the machine to mine Bitcoins. To host illegal content. To encrypt the hard drive. We can observe this behaviour in detail, but in complete security because, of course, we set the rules

© Inria / Alexandre Sanchez

Deploying honeypots on the fly

Behind this first innovation lies a second. “We don't just want a standard, unalterable honeypot. We want to be able to deploy them dynamically, on the fly.” This would enable a very high degree of responsiveness.

Or better still: “develop a variety of honeypots incorporating the flaw, including Windows environments and Linux environments.”

Using high-level procedures, the challenge for the new HopLab platform is to automatically generate a credible, controlled vulnerability scenario with a high degree of variability. “For the time being, we have only implemented a small number of these high-level procedures. Our idea is to reach a stage where we can click to choose several procedures from a list and our tool will generate these vulnerabilities in a whole series of honeypots in different environments. We could even open it up to a community of users wishing to contribute to these studies.”

Taking part in a “Capture the Flag” event

To further develop HopLab, the researchers will also be using “capture-the-flag” (CTF) exercises. These sessions enable a red team to launch attempted intrusions on a system monitored by a blue team. During its spring science days, CyberSchool in Rennes organised an exercise of this kind called CERBERE. On this occasion, around twenty participants worked with the platform, interacting with ten vulnerable infrastructures designed especially for the occasion and randomly based on the same vulnerabilities.

Four doctoral students were involved. “The first worked on the automated generation of vulnerable environments from high-level descriptions. The second on analysing execution traces. The third on fault-finding. And the fourth on analysing network traces. This gave us the full range of activities that interest us.

^[1]A botnet is a network of Internet-connected programs that communicate with other similar programs to perform various tasks. Some of these networks are used for malicious purposes. A zombie network is a computer system controlled by a cybercriminal without the knowledge of its legitimate user.