June 1, 2016
Joe Franscella

How Shockpot Protects You From ShellShock

<p>Using a honeypot as a proactive defense against online attacks has been a time-tested method for decades. This technique is being leveraged against the myriad of progressively complex threats continually being introduced. In this tradition, ShockPot was introduced as the first commercial response to ShellShock.</p><p><strong>What is ShellShock?</strong></p><p>ShellShock is an exploitative computer virus that was introduced in Sept. of 2014. It affects the Bash shell, an interface used for accessing the operating system. Immediately upon learning of this opportunity, cyber-criminals took to action. Hackers responded to this discovery by exploiting the bash vulnerability and creating a network of infected computers. Once compromised, attackers set the infected computers to run codes that work for their purposes. These victim’s computers were hijacked to perpetrate DDoS attacks and to scan the net for more vulnerabilities.</p><p>ShellShock can attack all manner of computer, browser, or web-enabled device. The Internet of Things is the new network of data using objects including our cars, video game consoles, and smart medical devices. This class of data is a newer area of liability that can have serious implications the more integrated technology becomes in our personal lives.</p><p><strong>What is ShockPot?</strong></p><p>It is the first ShellShock-specific honeypot. It’s a web-based app created by ThreatStream Labs. It features full integration into the Modern Honey Network. It can be downloaded and installed any system. Use it to monitor your network for attacks. Threat intelligence is best interpreted in-house, as you best understand your strengths, assets, and potential dangers.</p><p><strong>How does it work?</strong></p><p>Your ShockPot can be managed using the <a href="https://github.com/Pwnlandia/mhn" target="_blank">MHN platform</a>. It monitors traffic and scans for specific patterns or identifiers which are signs of ShellShock. The software can differentiate traffic sent to different portals and is programmed to pay particular attention to traffic coming through the entry point it is programmed to use, port 80. Scripts are compared to a “most wanted” list of viruses, malware and other known tools for identification. Growing this knowledge base relies on contributing data to the greater good. ShockPot safely contributes collected data to <a href="https://www.anomali.com/blog/threatstream-optic-maltego-integration">ThreatStream Optic</a>.</p><p><strong>How can you apply it?</strong></p><p>Use a honeypot to learn about the traffic coming to your network. Set up a secure decoy entity on your network and log all activity including IP addresses, scripts run, etc. Comparing all traffic to the traffic which accessed the honeypot identifies suspicious traffic from actual legitimate users. The application will alert you of suspicious traffic. Responding quickly to the signs of an attack in your decoy network is paramount to preventing would-be attackers from breaching your actual network.</p><p><strong>Why ShockPot?</strong></p><p>Managing a honeypot is a great undertaking. Inviting threats in a controlled environment is necessary to protect your data, but must be executed with great skill. Should your <a href="https://isc.sans.edu/diary/First+Exploit+Attempts+For+Juniper+Backdoor+Against+Honeypot/20525" target="_blank">honeypot be compromised</a>, cyber-criminals may use your honeypot to attack other parties. If it is found your company was negligent, you may be liable for damages.</p><p>The experts at Anomali understood the immediate need to devise a new, bigger solution to these emerging threats. ThreatStream Labs responded to the <a href="http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/" target="_blank">enormous threat of ShellShock</a> immediately and produced a product which makes threat intelligence feasible for all enterprises.</p><p><strong>Download the Security Intelligence and Information Sharing Strategy whitepaper and learn more about the new approach to threat intelligence using trusted collaboration.</strong></p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-79cc3352-61a2-44b7-8b7c-6f25d759918c"><span class="hs-cta-node hs-cta-79cc3352-61a2-44b7-8b7c-6f25d759918c" data-hs-drop="true" id="hs-cta-79cc3352-61a2-44b7-8b7c-6f25d759918c" style="visibility: visible; display: block; text-align: center;"><a class="cta_button " cta_dest_link="{page_3458}" href="https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=4f082f1c-a704-4df4-a627-a030c2f8e351&placement_guid=79cc3352-61a2-44b7-8b7c-6f25d759918c&portal_id=458120&redirect_url=APefjpE-8DRBonaPOVBGPTczvRAxHFBa2dZojGVoGg6PEAXPbQNnSFyZIa46I7uajrU50Pp__FJTQj3hehwPkbdLmt2SO18YJlHwHN0gxoGUqPhe0tf-9FPz5BB8JJCpU-V6RgCuB_QJBHH6ZLY-KD2e8iqHqIhFa_Uv_KFOlVTcb0E3VkGXUkNVZ4nEq_mnaIE7sqxUUfz6mb1AkF8BnoxV8CX3lpswYPNTh6a2zpie7JHV2yoaMJkjBr0G_eQ8gvOHWJKdlad7uKgLxGEBJKTOD6wSgvSoFXGfxbfp1Mcp_DqEx9HQdzW07oiUNx5x86G4l5dN5hei&hsutk=2767d93d6471d657e0c9f660e4b58ef8&utm_referrer=https%3A%2F%2Fblog.anomali.com%2Fhow-shockpot-protects-you-from-shellshock&canon=https%3A%2F%2Fblog.anomali.com%2Fhow-shockpot-protects-you-from-shellshock&pageId=4310829160&__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478831861868.1478887113345.180&__hssc=41179005.9.1478887113345&__hsfp=1335165674" id="cta_button_458120_4f082f1c-a704-4df4-a627-a030c2f8e351" style="margin: 20px auto;" target="_blank" title="Download Here">Download Here </a> </span> <script charset="utf-8" src="https://js.hscta.net/cta/current.js"></script> <script type="text/javascript">hbspt.cta.load(458120, '79cc3352-61a2-44b7-8b7c-6f25d759918c', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.