Honeypots mailing list archives
HoneyTokens
From: Lance Spitzner <lance () honeynet org>
Date: Fri, 21 Feb 2003 11:14:01 -0600 (CST)
For those of you who are not on the IDS list, very interesting thread coming up, honeytokens. Resources (such as word documents, excel spreadsheets, webpages) that no one should be touching. Same concept as honeypots, but you are applying it to individuals items (hence the term tokens). Used primarily for detection (and thus why it started on the IDS list). However, since the concept is based on honeypots, wanted to forward to you folks :) lance ---------- Forwarded message ---------- Date: Fri, 21 Feb 2003 11:17:46 -0000 From: Augusto Paes de Barros <augusto () paesdebarros com br> To: focus-ids () securityfocus com Subject: RES: Protocol Anomaly Detection IDS - Honeypots Lance's point can be expanded in very interesting views. Why use only honeypots "hosts" or "nets", when whe can use accounts, documents, info, etc? I was developing an idea that I call "honeytokens", to use on Windows networks. Basically, information that shouldn't be flowing over the network and, if you can detect it, something wrong is happening. -- Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br augusto () paesdebarros com br -----Mensagem original----- De: Lance Spitzner [mailto:lance () honeynet org] To: Focus on Intrusion Detection Systems; slyph () alum mit edu Subject: Re: Protocol Anomaly Detection IDS - Honeypots On Wed, 19 Feb 2003, Robert Graham wrote:
People have been hoping that there is some sort of magic-pill technology that solves the problem of IDS. "Protocol-anomaly detection" is one of those buzzwords that promises a magic pill.
Okay, I'll admit, to me alot of the security problems I see are nothing more then nails, and honeypots are the hammer. However, seriously, have folks considered the detection capabilities of honeypots? The reason I bring this up in this thread, is for honeypots, everything is an anamoly. The concept of a honeypot is it has no production or authorized activity. Everything it captures its way is most likely malicious activity. Not only that, but you dramaticaly reduce 'noise'. Instead of dealing with 5,000 alerts a day (not that high of a number for many organizations) a honeypot in the same environment could only generate 5 or 10 alerts a day, alerts you most likely need to take action on. These small data sets can make it far easier and cost effective to identify and act on unauthorized activity. I'm in no way suggesting that honeypots replace any existing detection technologies, I'm suggesting that can contribute. Personally, I feel the concept of deception has overshadowed the value of honeypots, when one of their true values lies in detection. lance
Current thread:
- HoneyTokens Lance Spitzner (Feb 21)
- Re: HoneyTokens Seth Arnold (Feb 21)
- RE: HoneyTokens Toby Miller (Feb 24)