Setting up a Honeypot in an Enterprise Environment

Solution 1:

You want Honeyd - Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.

Solution 2:

Honeypots are extremally useful for any environment and they don't need to be anything fancy or crazy.

Examples that we do:

-Create a fake account on or mailserver (say userX) with a few fake links in his mailbox (things like user directory link, payment link, etc all pointing to an internal server). Now we monitor any access to these pages via the logs and we know that if we ever see access to them is because someone is reading someone's else email or broke to the system.

-Add a non-published system with non-used IP to our network. Any access to them is probably caused by a scan or maybe bad-configured system (yes, it happens).

And many other things... These little "honeypots" are so easy to setup and the benefits are amazing. We even had a system admin fired for looking at a fake payroll link.