Re: HoneyTokens - WAS - morning_wood should stop posting xss

[Ron DuFresne <dufresne () winternet com>]

On Fri, 25 Jul 2003, Jason wrote:

> > Alright, I'll grant that in these semi restricted environs one might
> > also make use of such toys, yet, again, these are not open to to all
> > public consumption applications, and a variation on the 'insider threat'
> > scenario. Additionally, if you create false records in a database,
> > and monitor and log accesses to those records, the rest of the data
> > is probably still available for exploit and consumption, nothing
> > has really been stopped or prevented, though it's attempted access
> > might have been logged. Honeypots, in their various forms, are
> > placed for tracking abuse and logging of activities for later
> > analysis and perhaps replay, they are not preventive measures, nor
> > are they IDS/IPS kind of systems. If prevention is combined within the
> > toy, then you have created something altogether different.
>
> Limiting the scope to the definition provided above lets examine.
>
> "Honeypots, in their various forms, are placed for tracking abuse and
> logging of activities for later analysis and perhaps replay"
>
> Given this would the following definition be disagreeable?
>
> Honeytokens, in their various forms, are placed for tracking abuse and
> logging of activities for later analysis and perhaps replay with or
> without the use of a dedicated honeypot.
>
> Seems to me that it is easy enough to place honeytokens in any public
> service to identify and track any number of activities not within the
> normal usage of said service.
>
> There is no requirement that there be an insider, customer, partner, or
> any other known entity to achieve the stated goal of tracking,
> identifying, and analyzing abuse and activities at a later time.
>
> In fact, you could use a HoneyToken
>
> * with a honetpot to make the identification easier.
> * with an IDS to identify attempted intrusions.
> * with a log analyzer to identify theft of data.
> * with a packet logger to flag important sessions.
> * with an access control technology to block further communications.
> * ...
>
> This is not a variation of an insider threat management case. This is
> another layer of defense in depth. It is a practical use of the tools
> available for a security purpose.
>
> I myself have been using snort for this for a long time. I have
> implemented this for my customers and different employers over the
> years. In each implementation different tools have been used, one
> implementation changed the DB used for the session to that of a complete
> honeypot DB if the first record in any table was ever used, I think this
> could qualify as a honeytoken although it better qualifies as bait and
> switch in conjunction with a honeypot.
>
> I implemented another system that used common default accounts to flag
> people attempting to circumvent authentication and closed down access
> for that remote system for 30 sec.
>
> I used no toys to do this and these were public consumption systems.
>
> There was an interest by the people making risk management decisions to
> actively manage that risk by attempting to identify threats as soon as
> possible instead of when it was absolutely too late.
>
> ---- OT message ----
>
> To all those out there that like to get personal:
>
> I would like to pass on something stated to me once, in person, that I
> still have a problem remembering from time to time. Usually after too
> much external influence. :-)
>
> "Your content is not the problem, it is your delivery"
>
> Simply put, you could be the most correct and accurate person in the
> world but with all of this other noise you get yourself ignored. This
> ultimately frustrates you and causes you to become more inflammatory in
> the hopes of getting noticed. Listen carefully. IT DOES NOT WORK! See a
> shrink, get laid, take the blue pill, whatever it takes. Your message is
> lost on the vast majority of people because of your delivery.


Jason;  The I think perhaps our disagrement in this thread is due to
perhaps my 'limited classic view' of honey[toys|trinkets], and howyou make
use of the concept in a less classical way.  These are not exposed to
public or even insider kind of pounding with events merely being logged,
but are in fact used as potential choke points or cutoff switches.  Not
quite classical in the honey[realm] but, a truely interesting use of the
concepts!

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html