Re: [PEN-TEST] Recourse Technologies -- info wanted

[Erik Tayler <erik () digitaloffense net>]

I believe that most of your thoughts are correct, but in my experience, I
have found that placing a honeypot within enterprise situations was quite
useful. The reason it was so useful, in my opinion, was that this honeypot
was designed to lead people believe that they have already accomplished
their goal. What I mean is that I placed a bunch of important looking
information on the server, made it look like they hit the jackpot, etc.
Because this was in a DMZ that had absolutely no access to anything else
[firewall acl's were tight, restricting all access to and from the
honeypot]. Basically the honeypot wasn't connected to anything else, at all,
therefore the attacker encountered a dead end. In such a case, only someone
experienced would be able to gain a better view of the situation, and even
realize that there was more out there.

However, I do agree that [in some cases], placing a honeypot in an
enterprise network is senseless. Many do not know how to create a honeypot,
and do not know what precisely it is supposed to be used for, and might just
be opening an even larger hole.

Just my 2 cents.

Erik Tayler
http://www.14x.net
http://www.digitaloffense.net

> I have some qualms about putting a "target" on my network.  i understand
> that they may facilitate tracking an attacker, but honestly, why not
invest
> your money into building a secure architecture in the first place?  A fake
> "insecure" host or network may lead an attacker to find a vulnerable real
> host there.  I understand a honeypot's use in an academic or research
> environment, but as an enterprise appliance, it seems like a pretty poor
> idea.  I agree with mark on building traps on existing insecure operating
> systems, but i'd take it one further, an unkown, proprrietary operating
> system isn't better.  just because no vulnerabilities have been found
> doesn't mean that no vulnerabilities exist, and even honeypot designers
can
> make mistakes.