Linux.com

"Know Your Enemy (2nd Ed.)" Addison-Wesley, $49.99

This article is excerpted from the recently published book "Know Your Enemy: Learning About Security Threats".

This contrasts with such technologies as firewalls and intrusion detection systems (IDSs), which are easier to define and understand as they solve specific problems. Firewalls are a prevention technology; they are network or host solutions that keep attackers out. IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity. Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more. For the purpose of this book, we will define a honeypot as follows:

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

This definition was developed by members of the Honeypot mail list, a public forum made up of over 5,000 security professionals. The definition was difficult to develop, as honeypots can come in so many different shapes and sizes. As a result, this definition is very broad in scope, as it has to cover many different applications of honeypots. The definition of a honeypot does not indicate how a honeypot works or what its purpose is. Instead, its definition refers to how a honeypot generates its value. Simply put, honeypots are a technology whose value depends on the bad guys interacting with it. All honeypots work on the same concept: Nobody should be using or interacting with them-any transactions or interactions with a honeypot are by definition unauthorized.

A honeypot contains no value as a production-oriented component of an information infrastructure-it does no real productive service. Any transactions processed, any logins attempted, or any data files accessed on a honeypot are most likely malicious or unauthorized activities. For example, a honeypot system can be deployed on an internal network. This honeypot would have no production value and no one in the organization should be using it. It could appear to be a file server, a web server, or even an employee's workstation. If someone interacts with that system, they are most likely committing some unauthorized or malicious activity.

In fact, a honeypot does not even have to be a computer. It can be any type of digital entity (often called a honeytoken) that has no production value. For example, a hospital could create a false set of electronic patient records labeled George W. Bush. Because these records are honeypots, nobody should be accessing or interacting with them. These records could then be implanted into a hospital's patient database as a honeypot component. If any employee or attacker attempted to access these records, this would indicate unauthorized activity because no one should be using these records. If anyone or anything accesses the records, they could also generate an alert. It is the very simplicity of this concept that gives honeypots their tremendous advantages (and disadvantages).

Advantage and disadvantages

• Honeypots collect only small data sets. Honeypots only collect data when someone or something is interacting with them. As a result, honeypots collect very small sets of data, although it is extremely valuable data. Organizations that log thousands of alerts a day may log only a hundred alerts with honeypots. This makes the data honeypots collect much easier to manage and analyze.
• Honeypots reduce false positives. One of the greatest challenges of most detection technologies is that they generate false positives or false alerts. It's similar to the problem of car alarms. To stop cars from being stolen, owners install alarms in them to trigger whenever someone attempts to break-in or steal the vehicle. The problem is, these alarms are falsely triggered (a false positive) so often that people simply ignore them. Think about it, what do you do when you are walking in the parking lot and you hear a car alarm? Most likely, nothing. Many detection technologies today face the same problem. The larger the probability that a security technology produces a false positive, the less likely the technology will be useful. Honeypots dramatically reduce false positives simply because almost any activity with honeypots is by definition unauthorized, making honeypots extremely efficient at detecting attacks.
• Honeypots can catch false negatives. Another challenge inherent in traditional detection technologies is that they often fail to detect unknown attacks. This is a critical difference between honeypots and traditional computer security technologies that rely upon known signatures or statistical detection. Signature-based security technologies by definition imply that "someone is going to get hurt" before the new attack is discovered and a signature is distributed. Statistical detection also suffers from probabilistic failures-there is some non-zero probability that a new kind of attack is going to go undetected. Honeypots, on the other hand, are designed to identify and capture new attacks against them. Any activity with the honeypot is an anomaly, making new or unseen attacks stand out.
• Honeypots capture encrypted activity. Even if an attack is encrypted, honeypots can capture the activity. As more organizations adopt encryption (such as secure shell [SSH], IP Security Protocol [IPsec], and Secure Sockets Layer [SSL]) within their environments, this becomes a major issue. Honeypots can do this because the encrypted probes and attacks interact with the honeypot as an end point, where the activity is decrypted by the honeypot.
• Honeypots work with IPv6. Most honeypots work in any IP environment, regardless of the IP protocol, including IPv6. IPv6 is the new Internet Protocol (IP) standard that many organizations, such as the Department of Defense, and many countries, such as Japan, are actively adopting. Many current technologies, such as firewalls and intrusion detection system sensors, are not adapted well for IPv6.
• Honeypots are highly flexible. Honeypots are extremely adaptable and can be used in a variety of environments, everything from a social security number embedded into a database to an entire network of computers designed to be broken into. It is the ability to customize honeypots that allows them to do what few other technologies can: gather extensive information, especially against insider threats.
• Honeypots require minimal resources. Even on the largest of networks, honeypots require minimal resources. A simple, aging Pentium computer can monitor literally millions of IP addresses, or an OC-12 network.

Like any other technology, honeypots also have disadvantages. They are not designed to replace any technologies. Instead, they add value by working with existing technologies. As a honeynet is nothing more than one type of honeypot, honeynets also share the following disadvantages:

• Honeypots have a limited field of view. Honeypots see only what interacts with them. They do not see attacks against or interactions with other systems. While this can be an advantage, it can also be a disadvantage. A honeypot will not tell you that another system has been compromised, unless that compromised system interacts with the honeypot. To address this disadvantage, there are a variety of measures you can take to direct attackers' activities to honeypots, such as the use of honeytokens, redirection, and so on.
• Risk. Any time you deploy a new technology, that technology introduces risk-specifically, the risk of an attacker taking over that system and using it as a launching pad for other attacks against internal or external targets. Even IDS solutions that have no IP stack assigned to them can be at risk (sniffers such as Snort and Snoop have been vulnerable to remote attacks). Honeypots are no exception. Different honeypots have different levels of risk, with various ways to mitigate that risk. Of all the different types of honeypots, Honeynets have the greatest level of risk.

More on Page 2: Types of honeypots

Share    Print    Comments