Honeypots mailing list archives
RE: Honeypot Defintion - over thinking it.
From: Jon Price <jon () nytimes com>
Date: Mon, 26 May 2003 01:32:29 -0400
At 10:01 PM 5/25/2003 -0700, Kohlenberg, Toby wrote:
While it's a good attempt, I think you've over-constrained/over-defined the term. Consider- the purpose of a honeypot might have nothing to do with learning about hacking techniques and thereby improvingsecurity.
Yes, I see your point.
For instance, you might set one up as a trap to find internal attackers.Also, as with many art forms, I think that in giving a definition, you want to remove anything that isn't essential. Hence the comment about a honeypot usually being a dedicated computer should be removed. It might be accurate, but it doesn'tadd anything essential to the definition.
I agree.
In addition, I think we can and should remove the term "system" from the first sentance.
right.
Perhaps:A honeypot is a security tool, consisting of a system or dataset for which there is no legitimate reason for anyone to interact with and therefore _all_ use can be considered unauthorized. The system or dataset is usually configured to easily allowattackers to access it in order to entice them.
Sounds good to me.
That captures the key points I've heard so far: You want attackers to go to honeypots. and No one has a legitimate reason for being on a honeypot.
right, those are the key points.
But it doesn't add any constraints about what else you might do with a honeypot. I think the last sentance is awkward, any suggestionson rephrasing it?
I like the term "entice".
toby -----Original Message----- From: Jon Price [mailto:jon () nytimes com] Sent: Sunday, May 25, 2003 6:43 PM To: Kohlenberg, Toby; cta () hcsin net; honeypots () securityfocus com Cc: Lance Spitzner Subject: RE: Honeypot Defintion - over thinking it.another try. I'm trying to incorporate Toby's point about how a honeypot is different from other computers on the network.A honeypot is a system security tool, usually a dedicated computer, which purposely allows intruders to enter so that - unbeknownst to them - their hacking techniques and the system vulnerabilities they exploit can be learned about and used to improve system security.Jon At 04:47 PM 5/25/2003 -0700, Kohlenberg, Toby wrote:I've seen a number of interesting suggestions and lots of good thoughts but I keep seeing definitions that seem overly complex. Here's my reasoning- you can use a honeypot for lots of things- research, intrusion detection, entertainment (the honeypot drinking game? every time your attacker tries a DOS command on a unix system you have to drink! ), whatever. The question isn't what you're using it for. The question is, how is a honeypot different from any other system on the network? For instance, the definition that has been offered up recently: "A honeypot is an information system resource who's value lies in monitoring unauthorized or illicit use of that resource" is a good start but it doesn't get to the heart of the matter. Any system may have value in monitoring it for unauthorized or illicit activity. The key distinction about a honeypot is that there is _no_ legitimate reason for someone to be on it. Therefore, I submit this definition: "A honeypot is a system or dataset for which there is no legitimate reason for someone to interact with it and therefore _all_ use can be considered unauthorized." I think it really is that simple. What do y'all think? toby > -----Original Message----- > From: Bernie, CTA [mailto:cta () hcsin net] > Sent: Saturday, May 24, 2003 7:33 AM > To: honeypots () securityfocus com > Cc: Lance Spitzner > Subject: Re: Honeypot Defintion - Almost There, or a new path? > > > > I feel Marc's perspective has merit. > > After pondering the definitions presented thus far, and while > considering a simple technical definition of a Computer, i.e., "A > device that receives, stores, processes, and presents data in > response to commands", I suggest this definition: > > Honeypot: > "An automated computer system for detecting erroneous, > unauthorized or illicit use of system resources." > > As an old embedded system engineer, I decided to include > the word "automated" as to infer the implicit use of 5 basic > functions of automation: > 1. Collection of Information > > 2. Communication of Information (man-machine, machine- > machine) > > 3. Computation of Information (data logging and data > processing) > > 4. Control of Operations (both human and machine) > > 5. The logical coordination among the preceding four functions > > I use the word "detecting" to move away from the user > application and *legal* usage, which may include "monitoring". > > I included the word "erroneous" to express that honeypots > may also detect incidents which are not specifically > unauthorized or illicit. For example, we deploy a honeypot as > a security safeguard - When a legitimat User attempts to login > to their website. However, after failing to correctly enter their > password more than X times, the User triggers the security > safeguard and is automatically redirected to the honeypot to > detect if the incident is an erroneous action, unauthorized or > illicit. > > I have used honeypots in this topology for some time and have > foud the resource significantly beneficial in design, debug and > enhancement of a systems functional utility as well as the > user interface of web-based applications. > > > Thoughts? > > > On 23 May 2003, at 17:05, Marc Dacier wrote: > > > > Based on this "usage", is this "information system resource" a > > honeypot ? I would tend to say yes but your definition leads me > > to believe that you would say no. > > > > Can't we come up with a definition that does not take the usage > > into account at all ? > > > > >Since this is the preferred option of the two, this is > > >what we will go with. > > > > Mmmmm ... the least worst of the two 'definitions' does not > > make a good one :-) > > > > Reactions, remarks ? > > > > Cheers, > > Marc > > > > On 23 May 2003, at 9:30, Lance Spitzner wrote: > > <snip> > > "A honeypot is an information system resource who's > value lies in monitoring unauthorized or illicit use > of that resource" > > > "A honeypot is an information system resource who's > value lies in unauthorized or illicit use of that > resource" > > <snip> > > - > > - > **************************************************** > Bernie > Chief Technology Architect > Chief Security Officer > cta () hcsin net > Euclidean Systems, Inc. > ******************************************************* > // "There is no expedient to which a man will not go > // to avoid the pure labor of honest thinking." > // Honest thought, the real business capital. > // Observe> Think> Plan> Think> Do> Think> > ******************************************************* >
Current thread:
- RE: Honeypot Defintion - over thinking it. Kohlenberg, Toby (May 25)
- RE: Honeypot Defintion - over thinking it. paul (May 26)
- <Possible follow-ups>
- RE: Honeypot Defintion - over thinking it. Jon Price (May 26)