|Mark T. Edmead|
Have you ever been interested in how a hacker breaks in to a system? Are you the victim of hacker attacks, and would you like to keep the attacker "engaged" so you can gather information about him (but not use your live system as a guinea pig)? A solution would be the deployment of a honeypot system. A honeypot is an Internet-attached system that acts as a decoy, luring in potential hackers like bees to honey.
Honeypots act like live systems, but in reality they don't contain any live data or information. A honeypot can be configured to co-exist on your existing network to limit the intruder from complete access to protected areas. If the honeypot is configured correctly, the intruder won't have any idea that he is in a fake system and that his actions are being monitored. In fact, these honeypot systems have ports that can respond to port scans, contain user accounts and even system files. So while the hacker thinks he's looking at a real system, he's actually lurking on a secure "sandbox" system while we monitor his every move.
Lance Spitzner, founder of the Honeynet Project, says, "Honeypots are not a solution. They do not fix anything. Instead, honeypots are a tool." Honeypots can help with the detection of hacker activity in the network and allow us to gather information about their activities. With this information, we can learn how hackers compromise or bypass our security controls, helping us to develop better defense mechanisms.
While honeypots collect very little data (compared to IDS systems), the data they do collect is extremely valuable. Many network intrusion detection systems can't keep up with the massive amounts of network activity and tend to drop packets. Because of the massive amounts of data collected, wading through gigabytes of data to find what you need is a monumental task. Honeypots capture only certain and specific traffic, reducing the network bandwidth requirements as well as limiting the amount of data one must look through to find information. If no one attacks your honeypot, the implementation is useless.
A study conducted by Recourse Technologies by Global Integrity Corp. outlines these additional general honeypot advantages:
- Athough they should not be considered defensive countermeasures per se, honeypots deter attacks.
- Honeypots sidetrack attackers' efforts, causing them to devote their attention to activities that can cause neither harm nor loss.
- They allow the "white hat" community to study exactly what attackers are doing without exposing systems and networks to additional risk that results from compromised system.
- They are an excellent method of detecting insider attacks. Insider attacks involve fundamentally different attack patterns (usually considerably more subtle ones) from external attacks.
When designing a honeypot system, consider the following design goals:
- Make sure the honeypot looks as generic as possible. Basically, you don't want to scare away the intruder by making your system too intimidating. You want to make the system attractive by placing dummy information that looks legitimate.
- Make sure you don't allow the intruder into your private network and more important, don't allow the intruder to use your system to launch an attack against other computers.
Legal Issues surrounding honeypots
Before you activate your honeypot, look at the legal ramifications of what you do. There are two legal issues you should be concerned with when it comes to honeypots: entrapment and privacy. Most likely, entrapment is not a real issue when it comes to honeypots. That is because with a honeypot, we aren't doing anything to induce or persuade hackers to enter our systems. Instead, hackers target and attack honeypots on their own.
The issue of privacy is another story. What happens when an attacker places stolen files on your machine? There could be a privacy issue with respect to the interception of communication and the violation of the Electronic Communication Privacy Act (18 USC 2701-11).
You should also check with your legal team to determine if the information you gather with a honeypot can be used for prosecution. As with any computer-investigation process, it's critical that the information gathered to prosecute a hacker conforms to the chain of evidence. That is, make sure you maintain complete control of the evidence for accountability and protection. That way you can prevent possible evidence tampering, which would make the information inadmissible in court.
Honeypots, if implemented correctly, offer the network administrator a way to discover unwanted activity on a network. Just as with any other network-design technology added to your network, you should make sure that a policy regarding the design, deployment and use of honeypots is developed. And remember, honeypots are a tool with strengths and weaknesses. Honeypots don't "secure" your enterprise but should alert you when there are unauthorized people lurking in your network.
References and additional information:
The Honeynet Project is a non-profit research group of 30 security professionals dedicated to information security. Its goal is to learn the tools, tactics and motives of the blackhat community and share these lessons learned. Founded in April 1999, all of the group's work is open source and shared with the security community.
Here's a good honeypot program that can be used to configure individual responses for each port.
This is a simple application that notifies you whenever someone tries to remotely control your system using Back Orifice.
SPECTER is a smart honeypot or deception system. It simulates a complete machine, providing an interesting target to lure hackers away from the real machines. SPECTER offers common Internet services such as SMTP and FTP, which appear perfectly normal to the attackers but are traps for them. Hackers leave traces without even knowing they're connected to a fake system that does none of the things it appears to do but instead logs everything and notifies the appropriate people. Furthermore, SPECTER automatically investigates the attackers while they're still trying to break in.
Honeyd is an extremely powerful, open-source honeypot. Designed to run on Unix systems, it can emulate more than 400 operating systems and thousands of computers, all at the same time.
About the author: Mark Edmead, CISSP, SSCP, TICSA, is president of MTE Software Inc. and has more than 25 years' experience in software development, product development and network systems security. Fortune 500 companies have turned to Mark often to help them with projects related to Internet and computer security. He was managing editor of SANS Digest (Systems Administration & Network Security) and contributing editor to the SANS Step-by-Step Windows NT Security Guide. Mark previously worked for KPMG's Information Risk Management Group and IBM's Privacy and Security Group, where he performed network security assessments, security system reviews, development of security recommendations and ethical hacking. Other projects included assisting companies develop secure and reliable network system architectures for their Web-enabled businesses. Mark is co-author of the book Windows NT: Performance, Monitoring and Tuning published by New Riders, editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide and is currently authoring a book on Wireless LAN security.
This was first published in August 2002