In this simulation, you will analyze the application of honeypots as a proactive network defense mechanism. You will learn to distinguish between different honeypot types and identify which specific solution acts as a "burglar alarm" to notify administrators of unauthorized lateral movement.

CND (312-38) Network Defense Simulation

Network Scenario

Environment: Enterprise Data Center (Subnet 10.10.20.0/24)

Defense Strategy: You have deployed a low-interaction honeypot on an unused IP address (10.10.20.55). This IP is not associated with any legitimate production service or DNS record. Any traffic reaching this host is inherently suspicious as no authorized user should be attempting to connect to it.

Objective: Detect early-stage internal reconnaissance (port scanning) from potentially compromised internal endpoints.

Traffic & Logs

Honeypot Alert Triggered

[2023-10-27 14:22:01] ALERT: Connection attempt on 10.10.20.55:135 (RPC)
[2023-10-27 14:22:01] SOURCE: 10.10.20.142 (Internal Workstation)
[2023-10-27 14:22:03] ALERT: Connection attempt on 10.10.20.55:445 (SMB)
[2023-10-27 14:22:05] ALERT: Connection attempt on 10.10.20.55:21 (FTP)
[2023-10-27 14:22:06] ANALYSIS: Sequential port scan detected from 10.10.20.142 targeting decoy host.
[2023-10-27 14:22:10] NOTIFICATION: SMTP/Pager alert sent to SOC Lead.
            

*Note: The system responded to the scan with simulated service banners to keep the attacker engaged while logging all metadata.

Question

Which of the following honeypots is a useful little burglar alarm?

Think about a classic, lightweight tool specifically designed to simulate services like BackOrifice to trap attackers and alert administrators immediately.

Expert Analysis

1. Network Activity: The logs show an internal host (10.10.20.142) performing horizontal reconnaissance. It is hitting multiple ports (135, 445, 21) on a non-existent production IP. This indicates a "burglar" is checking doors in the network.

2. Identifying Behavior: This is a classic example of lateral movement or internal worm propagation. The defensive system is designed to trigger an alert at the very first touch.

3. Why Correct (A): Backofficer Friendly is specifically cited in CND materials as a "useful little burglar alarm." It is a simple, low-interaction honeypot that mimics services (like the Back Orifice trojan) and sounds an alarm when any connection is attempted, making it an excellent early-warning detection tool.

4. Why Others are Wrong:

Specter: A more complex commercial honeypot that provides various personalities but isn't the specific tool associated with the "burglar alarm" nickname in this context.
Honeynet: A high-interaction network of honeypots, not a single "little" alarm tool.
Honeyd: A daemon that creates virtual hosts on a network, used for larger-scale simulation.

MINI LESSON: Honeypot Classifications

Low-Interaction: Simulates only specific services (e.g., Backofficer Friendly, Honeyd). Low risk, high detection value for automated scans.
High-Interaction: Uses real operating systems and applications (e.g., Honeynets). High risk, but provides deep insight into attacker TTPs (Tactics, Techniques, and Procedures).
Production vs. Research: Production honeypots are used to protect organizations (like the burglar alarm), while Research honeypots gather intelligence on global threats.

Explore more CND simulations