It worked for us: honey pot sensor catches malware

A terrific demonstration of the value of the Security Assessment Sharing (SAS) feature of Microsoft Forefront Codename “Stirling” just took place inside of one of the labs that we configured for testing. In the lab environment, a Forefront Threat Management Gateway (TMG) using the SAS technology was able to identify that one of the lab machines was compromised with malware.

It is common practice for our test team to construct what we call “lab environments” that contain all of the components of a Stirling deployment: a Stirling server, a Windows client with Forefront Client Security, an Exchange server with Forefront Server Security for Exchange and so on. In these lab deployments, we use the Forefront Threat Management Gateway (TMG) as the firewall.

Forefront TMG contributes 11 different detectors that are used by the SAS to detect suspicious network behavior. When TMG detects such a suspicious behavior it communicates its findings to other security technologies using the assessment sharing channel. This message, called an assessment, appears in the central Stirling console where the administrator can observe the suspicious behavior.

One of these detectors is the honey pot IP address. When a TMG server is connected to Stirling, the TMG administrator can specify an IP address that will be used as the honey pot. It is important that the administrator ensure that the network is configured so that this IP address will never be assigned to any computer on the network. TMG will listen on this IP for traffic from the internal network. Since this IP is not registered with any actual machine, any traffic to it is inherently suspicious.

HoneyPot2

An assessment that notifies the administrator of a honey pot hit

During a testing session in our lab, the honey pot detector was triggered. When this happened, the Stirling console in the lab showed an assessment was generated against the machine that initiated the traffic to the honey pot. Ironically, the tester initially dismissed the assessment as a mistake because the tester did not run any tests that were supposed to trigger activity that would cause the honey pot sensor to fire. Also, there was no reason to think that malware caused the problem because the lab environment is completely isolated from the outside world; and therefore, it should be malware clean.

However, after the honey-pot assessment repeated itself several more times, our test engineer was compelled to start investigating the machine that accessed the honey-pot. He found that the machine was infected with the conficker worm, which was probing the network for a machine to infect

This story demonstrates the value of the honey pot detector, delivered by Forefront TMG together with the SAS technology inside of Stirling. It can be a highly effective mechanism for detecting malware on your network. As in our case, it can detect malware even on machines without any anti-malware software installed. It is also as easy to setup as it is to reserve an IP address on your network. If you have not done so already, why not give it a try yourself and create a honey pot inside of your Stirling deployment. We are looking forward to hearing about your experience with it.

Shai Rubin, Program Manager for Microsoft Forefront Codename “Stirling”

Donny Rose, Program Manager for Microsoft Forefront Threat Management Gateway