Tech. Article: Honeypots

Published on September 27, 2004 By Black Xero In WinCustomize News

Honeypots are a relatively new and highly dynamic technology. Because they are so dynamic, it is difficult to define just what they are. Honeypots are unique in that they are not a solution in and of themselves; they do not solve a specific security problem. Instead, they are highly flexible tools with many different information security applications.

This contrasts with such technologies as firewalls and intrusion detection systems (IDSs), which are easier to define and understand as they solve specific problems. Firewalls are a prevention technology; they are network or host solutions that keep attackers out. IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity. Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more. For the purpose of this book, we will define a honeypot as follows:

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

This definition was developed by members of the Honeypot mail list, a public forum made up of over 5,000 security professionals. The definition was difficult to develop, as honeypots can come in so many different shapes and sizes. As a result, this definition is very broad in scope, as it has to cover many different applications of honeypots. The definition of a honeypot does not indicate how a honeypot works or what its purpose is. Instead, its definition refers to how a honeypot generates its value. Simply put, honeypots are a technology whose value depends on the bad guys interacting with it. All honeypots work on the same concept: Nobody should be using or interacting with them-any transactions or interactions with a honeypot are by definition unauthorized.

A honeypot contains no value as a production-oriented component of an information infrastructure-it does no real productive service. Any transactions processed, any logins attempted, or any data files accessed on a honeypot are most likely malicious or unauthorized activities. For example, a honeypot system can be deployed on an internal network. This honeypot would have no production value and no one in the organization should be using it. It could appear to be a file server, a web server, or even an employee's workstation. If someone interacts with that system, they are most likely committing some unauthorized or malicious activity.

In fact, a honeypot does not even have to be a computer. It can be any type of digital entity (often called a honeytoken) that has no production value. For example, a hospital could create a false set of electronic patient records labeled George W. Bush. Because these records are honeypots, nobody should be accessing or interacting with them. These records could then be implanted into a hospital's patient database as a honeypot component. If any employee or attacker attempted to access these records, this would indicate unauthorized activity because no one should be using these records. If anyone or anything accesses the records, they could also generate an alert. It is the very simplicity of this concept that gives honeypots their tremendous advantages (and disadvantages).

(This article is excerpted from the recently published book "Know Your Enemy: Learning About Security Threats".)

Read Indepth Article at

Comments

lilstarfish

on Sep 27, 2004

Lots of going back and forth and repeating.

Simply put, honeypots are "sitting ducks".

Something that will trigger the attention and curiosity
of people trying to get into a system, so they will poke
around long enough for the secutiry people to nail them.

Fake data/applications/information on a lone server etc

Just barely accessible so it isn't too obvious that it's
a "setup".

Cafin8ted

on Sep 27, 2004

I think Honeypots should be implemented more often. I also think that they can supply more influential data that can b used to track down allot of "bad guys" - the purpose of a honeypot is to attract, so I guess my email account is a honeypot -

- I tried to get my old employer to develop a Honeypot as a part of our offering (traffic generator - called a flamethrower) I saw and see so much value in the creation and cooperation of such systems to nail the crap out of jerks who muck up an awesome institution such as the Internet for malicious and personal gain. Power to the Honeypot

Old_Crab

on Sep 28, 2004

In the olden days youngsters such schemes could be "data traps". Remember you can catch more flies with honey than vinegar. >

craeonics

on Sep 28, 2004

Long story short: it's fly paper. Ordinary users won't go there, potential troublemakers will and thus can be identified.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!