Linux.com

Uses of honeypots

High-interaction honeypots

You now know that honeypots are extremely flexible tools that can be used for a variety of purposes. Think of them as tools in your security arsenal; you can use them however they best fit your needs. In general, we can break down a honeypot's value into two broad categories: production and research. In general, low-interaction honeypots are used for production purposes, whereas high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. Once again, neither purpose is better than the other. These categories simply help you identify what you are attempting to achieve with your honeypot. When used for production purposes, honeypots can protect organizations in one of three ways: by preventing attacks, detecting attacks, and responding to attacks. When used for research purposes, honeypots collect information. This information provides different value to different organizations. Some organizations may want to study trends in attacker activity, whereas others may be interested in early warning and prediction or law enforcement. Let's take a more in-depth look at how a honeypot can work for you.

Preventing attacks

Honeypots can help prevent attacks in several ways. For one, honeypots can prevent automated attacks, such as those launched by worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools then attack and take over the system (with worms self-replicating, or copying themselves, to the victim). One way that honeypots can help defend against such attacks is by slowing the scanning process, potentially even stopping it. Called "sticky honeypots," these solutions monitor unused IP space. When probed by such scanning activity, the honeypots interact with and slow the attacker. They do this using a variety of Transmission Control Protocol (TCP) tricks, such as using a Windows size of zero, which puts the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated your internal organization. One such example of a sticky honeypot is La Brea Tar pit. Sticky honeypots are most often low-interaction solutions (you can almost call them "no-interaction solutions," as they slow the attacker down to a crawl).

You can also use honeypots to protect your organization from human (that is, non-automated) attacks. The concept is based on deception or deterrence. The idea is to confuse attackers, making them waste their time and resources interacting with honeypots. Meanwhile, your organization is able to detect the attacker's activity and has the time to respond and stop it. This can be taken one step farther. If attackers know your organization is using honeypots but they do not know which systems are honeypots and which systems are legitimate computers, they may be so concerned about being caught by honeypots that they decide not to attack your organization. Thus, the honeypot deters attackers. An example of a honeypot designed to do this is Deception Toolkit, a low-interaction honeypot.

Detecting attacks

Another way in which honeypots can protect an organization is through detection. Detection is critical as it identifies a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reason than humans are involved in the security process. By detecting attacks, you can quickly react to them, stopping or mitigating the damage they do.

Detection has traditionally proven to be an extremely difficult activity. Technologies such as intrusion detection system sensors and systems logs have proven ineffective for several reasons: They generate far too much data and a large percentage of false positives, they are unable to detect new attacks, and they are unable to work in encrypted or IPv6 environments. Honeypots address many of these traditional detection problems, reducing false positives by capturing small data sets of high value, capturing unknown attacks such as new exploits or polymorphic shellcode, and working in encrypted and IPv6 environments. You can learn more about this in the paper "Honeypots: Simple, Cost Effective Detection (Spitzner 2003)." In general, low-interaction honeypots make the best solutions for detection. They are easier to deploy and maintain than high-interaction honeypots and have less risk.

Responding to attacks

Honeypots can also help protect organizations by responding to attacks. Once an organization has detected a failure, how should it respond? This can often be one of the greatest challenges organizations face. There is often little information on who the attackers are, how they got in, or how much damage they have done. In these situations, detailed information on the attacker's activities is critical. There are two problems compounding incidence response. First, the very systems compromised often cannot be taken offline to be analyzed. Production systems, such as an organization's mail server, are so critical that even though the system has been hacked, security professionals may not be able to take the system down and do a proper forensic analysis on it. Instead, they are limited to analyzing the live system while still providing production services. This makes it difficult to analyze what happened, how much damage the attacker has done, and to determine whether the attacker has broken into other systems.

Another problem is that even if the system is taken offline, there is often so much data pollution that it can be very difficult to determine what the attackers did. By data pollution, I mean that there has been so much activity (users logging in, mail accounts read, files written to databases, and so on) that it can be difficult to determine what is normal day-to-day activity and what are the attacker's actions.

Honeypots can help address both problems as they can quickly and easily be taken offline for a full forensic analysis without impacting day-to-day business operations. Also, because the only activity a honeypot captures is unauthorized or malicious activity, this makes hacked honeypots much easier to analyze than hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker. The value honeypots provide is thus that they are able to quickly give organizations the in-depth information they need to rapidly and effectively respond to an incident. In general, high-interaction honeypots make the best solution for response purposes. To respond to intruders, you need in-depth knowledge on what they did, how they broke in, and what tools they used. For that type of data you most likely need the capabilities of a high-interaction honeypot.

Using honeypots for research purposes

As noted earlier, honeypots can also be used for research purposes, to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is a lack of information or intelligence on cyber threats. How can your organization defend itself against an enemy when you don't even know who that enemy is? Research honeypots address this problem by collecting information on threats. Organizations can then use this information for a variety of purposes, including analyzing trends, identifying new tools or methods, identifying attackers and their communities, ensuring early warning and prediction, or understanding attackers' motivations.

By now, you should have a better understanding of what honeypots are, how they can be used, how powerful they can be, and what advantages and disadvantages are inherent in their use. From this point on, we will focus only on honeynets, which are nothing more than one type of honeypot. If you want to learn more about other honeypots, consider the book "Honeypots: Tracking Hackers" (Spitzner 2003). This is the first and only book dedicated entirely to honeypot technologies.

Lance Spitzner has had a longtime interest in enterprise security and is particularly passionate about researching honeypot technologies. He is also the author of "Honeypots: Tracking Hackers" (Addison-Wesley). This excerpt is taken from "Know Your Enemy: Learning About Security Threats" (Second edition, Addison-Wesley).