Re: Honeypots, what is their limits for intrusion detection?

[krymson () gmail com]

I'll first say that honeypots are not a substitute for a decent IDS/IPS posture, or network analysis/server protection. 
I consider honeypot use an advanced technology that has only minimal value to most shops. 

To answer your question, a honeypot will be able to detect two things:
- automated attacks that include your honeypot/net
- manual attacks that include your honeypot/net

Note that if a manual attack starts attacking your web servers and if they don't find the honeypot, then the honeypot 
is worthless to you and won't help you detect the ongoing intrusions. You won't know anything or be able to make any 
conclusions based on a quiet honeypot or which attacks it missed since you can never have the whole picture.

It might sound like I'm ragging on honeypot concepts, but I'm just trying to bound the value of it. There *is* value in 
it, but it is limited.

1. If you have a specific interest in examining the tools attackers use or capture and analyze malware, honeypots are 
possibly invaluable to you. However, most organizations simply neither care nor have the spare manhours to devote to 
such endeavors. No harm there; most admins don't get anything from analyzing that stuff on company time. If you donate 
such captured stuff to companies who do specialize in that, then maybe you can see some value in giving back to the 
community to make everything more secure...

2. Honeypot concepts tend to "borrow" the value of monitoring your dead network space for traffic as one reason to use 
honeypots. I don't buy that specifically, but there is value in monitoring your dead space on the network. If you have 
unused IP addresses and someone does a recon sweep of your IP block, you'll see that traffic trying to find your dead 
space. There should only be few (if any) legitimate reasons for your dead space to be scanned or poked at. This is the 
biggest value, but is not necessarily something that honeypot technology alone will provide. You can do this in other 
ways. 

It's kinda like making a miniature house inside a window on your house that you leave unlocked so when an attacker 
climbs in, they're just in this fake house and not your own...that way you can watch what they do and where they look 
for your valuables. (Any MacGyver fans?) Most people only care that someone is getting into their window, and so put 
alarm on it. All the rest is not of value to most people.


All of that said, if you have an interest in it, I certainly wouldn't discourage getting into it. You, as a person, can 
learn a lot just by setting it up and catching some things, most probably automated unless you have something of value 
hanging out there for manual attackers. Just, most corporations have little need for it.


<- snip ->
Hi,
I have a newbie question related to intrusion detection. It was 
suggested to me that Honeypots only catches automated attacks, is that 
true? How can we know which attacks are not caught? Is there any papers 
on what sort of attacks are caught by using honeypots?

Regards
Tomas

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194