CSIRT-IE Honeypot Reports.
Objective.
CSIRT-IE primary focus, in regard to the following reports, is to notify the owners of hosts, within the jurisdiction, that have been identified and reported for suspicious or malicious activity involving a honeypot instances. CSIRT-IE seek to inform responsible network operators and constituents, based upon the IP address of the host identified and reported for suspicious or malicious activity involving a honeypot instances, by email and to provide advice and recommendations on how to reduce the threat posed by a host identified and reported for suspicious or malicious activity involving a honeypot instances.
Suspicious & Malicious Activity involving a Honeypot instances.
| No. | Activity | Description |
|---|---|---|
| 1. | Interaction. | Interacting with a honeypot, scanning for and attempting to exploit vulnerabilities, attempting to gain access, accessing restricted areas, attempt to exfiltrate or the exfiltration of data, attempt to deploy or the deployment of malware. |
| 2. | Network Reconnaissance. | Port scanning, is often the first step in an attack. |
| 3. | Exploitation of Vulnerabilities. | An attempt to exploit, or the exploitation of the vulnerabilities of the honeypot. |
| 4. | Exfiltration of data | An attempt to exfiltrate data, or the exfiltration of data from the honeypot. |
| 5. | Network Traffic. | Unusual or unexpected network traffic directed at the honeypot is an indication of potential malicious activity. |
Source of Information.
The Shadowserver Foundation is a Non-Governmental Organisation and one of the world's leading resources for internet security reporting and malicious activity investigation. The Shadowserver Foundation works with national governments, network providers, enterprises, financial and academic institutions, law enforcement agencies, and others, to reveal security vulnerabilities, expose malicious activity and help remediate victims. The Shadowserver Foundation performs a scan of the entire IPv4 internet every day for Internet accessible servers and services and reports the security vulnerabilities found. In 2022, the Shadowserver Foundation began to systematically rolling out IPv6 scanning of services. Information on the Shadowserver Foundation Reports and the data contain therein can be found at:- Shadowserver Foundation Reports
The Shadowserver Foundation Event Severity Levels.
On the 12th Oct 2023, the Shadowserver Foundation introduced a new system of categorising events in their reports called Event Severity Levels, making it possible for recipients of their reports to filter events based upon the severity of the actual event reported. The Shadowserver Foundation have also commenced applying a default severity level to their reports.
| No. | Level | Description |
|---|---|---|
| 1. | Critical. | Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-authorisation Remote Code Execution (RCE) or modification or leakage of sensitive data. |
| 2. | High. | End of life systems, systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked. Sinkhole events end up in this category. |
| 3. | Medium. | Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (Man-in-the-Middle (MITM) attack without being able to manipulate the traffic) to exploit, an attacker will need to know internal systems/infrastructure in order to exploit it. |
| 4. | Low. | Deviation from best practice - little to no practical way to exploit, but setup is not ideal. Vulnerabilities requiring MITM (including manipulating the traffic) to exploit. |
| 5. | Info. | Informational only. Typically no concerns. However, this category includes the Device Identification report, which may include information on device types that should not be accessible on the public Internet, in which case the individual events in the report may be assigned higher severity levels. Review in accordance with the organisation security policy. |
Shadowserver Foundation - Information on Honeypot Strategy.
| No. | Subject | Information |
|---|---|---|
| 1. | Number of Honeypots. | The Shadowserver Foundation operate over 1,500 honeypot instances around the world. |
| 2. | IP Addresses. | The Shadowserver Foundation does not publicly disclose the IP addresses of their honeypots. The honeypots are used to gather intelligence on cyber threats and attacks. Revealing the IP addresses of their honeypots would compromise their ability to collect that information effectively. By keeping the honeypot IP addresses secret, Shadowserver can ensure that attackers are unaware they are interacting with a decoy system, allowing them to collect more accurate data about attack patterns and techniques. If attackers knew the IP addresses of honeypots, they could avoid them, rendering the honeypots ineffective for intelligence gathering. The anonymity of honeypot IP addresses is a deliberate security measure to ensure the effectiveness of Shadowserver's threat intelligence work. |
| 3. | Aims & Objectives. | In April 2022, The Shadowserver Foundation released the following document:- Honeypot HTTP Scanner Events Report. This document gives an insight into the Aims & Objectives of the organisation in relation to the Report. |