Work with customers/partners when setting up a honeynet and have them include broadcast e-mail messages across the administration team regarding some new backup or development servers coming online (not that they are honeypots). Remember that adversaries may be watching your e-mail.
Use classified channels to discuss project details.
Host and Applications
When setting up your host and applications, consider the following:
How do you ensure your honeypot looks like the production asset one IP address over?
How do you set up a honeypot to have the right amount of data to keep attackers interested once they are on the machine?
You can add realism as follows:
Ensure usernames match the schema.
Ensure all user accounts do not have similar associated login and creation dates.
Generate traffic.
Match host applications to network applications.
Ensure applications are reasonably updated and patched (typically no more than every 90 to 120 days).
Content Filling
Content filling is the act of regularly filling the honeynet with host and network content that is perceptually consistent with production network traffic, while allowing for additional pieces of information that could be used as bait to entice the attacker into interacting with your honeynet. Content filling is very important when adversaries compromise a honeypot and set up a host or network monitor. Again, you need to think like the attacker. You want the attacker to feel comfortable with the types of host and network activity on any given network segment.
The following are some of the high-level considerations regarding content filling:
Unusual or lack of network activity can be a huge indicator or outdated timestamps.
It is important to set your mind to that of the attacker’s view: you have an objective or mission that requires you to enter an adversary’s perimeter and exfiltrate intelligence.
Understanding what may be seen as an indicator that an attacker is in a honeynet is very important. For example, do not leave honeynet tools on a CD in the CD-ROM drive. Never copy honeynet tools to a host or download honeynet tools from a honeypot. Always do these things from an out-of-band system and burn them to a CD, and then run the task from the CD-ROM in the honeypot.
