Re: Need your helping defining honeypots

[Jeremy Bennett <jeremy_f_bennett () yahoo com>]

Good point Richard. Here's the definition I've been using in
presentations:

A honeypot is any system who’s sole purpose lies in being a potential
target for attacks.

You make me realize, though that there are two core uses of honeypots
that need to be addressed. The first is the honeypot as a decoy server,
this is covered by my definition above. The second is a honeypot as a
deception environment, such as a warez server. 
I would revise my definition as follows:

A honeypot is any system who's sole purpose lies in being probed,
attacked, or used by unauthorized persons or their agents.

Some have pointed out that honeypots can capture authorized users
attempting to use the honeypot for unauthorized reasones. I argue that
authorization on one system does not confer authorization to another,
nor does a valid logon to a system grant authorization to log in. Thus
there are no authorized users of a honeypot.

-J

--- "Richard.Salgado () usdoj gov" <Richard.Salgado () usdoj gov> wrote:
> Date:   05/16/2003  04:34 pm -0400  (Friday)  
> From:  Richard Salgado
> To:  "honeypots () securityfocus com@inetgw".WTGATE2.CRMGW
> Subject:  Re: Need your helping defining honeypots
>
> The second definition (or some version of it) is preferable to the
> first for a few reasons.  Basically, the original definition assumes
> that to be a honeypot, the deployment must be a "security" resource. 
> This is likely the most common use among the members of this list,
> but a honeypot is not necessarily deployed to learn about how
> blackhats probe, attack or compromise a system, or to find means to
> enhance security.  A honeypot may be used by law enforcement, for
> example, to create a fake warez service to further the investigation
> of pirate groups.  In that case, law enforcement isn't looking for
> lessons on how to secure systems; the agents are trying to find bad
> guys and use a honeypot to do so.  To limit the definition to
> "security" and "probes, attacks and compromise" misses a world of
> other potential goals for a fake-production server.
>
> In my world, the essence of a honeypot is much closer to the second
> option than the first. It is a system used to monitor unauthorized or
> illicit activity.  The definition needs to be broad enough to capture
> honeypots with a security-research goal as well as deployments aimed
> at other misuses of networks and data.  (I think Lance would like to
> be sure that the definition covers honey tokens as well).  Perhaps
> the we could combine the two definitions as follows:
>
> "A honeypot is a computer resource the value of which lies in
> monitoring unauthorized or illicit use of the resource."
>
> Richard Salgado
> Computer Crime and Intellectual Property Section
> U.S. Department of Justice
>
>
> > > > eshirey () pclocals com@inetgw 05/16/03 02:54PM >>>
> Lance Spitzner wrote:
>
> > Recently I released a paper attempting to define honeypots.
> > I've received alot of great feedback on that.  Some of the
> > feedback has been we may be able to improve on the definition.
> > Honeypots are extremely flexible and can be used for many
> > different things.  As such, I propose two different possible
> > definitions.  Comments/input GREATLY appreciated!
> >
> >
> > Option 1:
> > ---------
> > A honeypot is a security resource who's value lies in being
> > probed, attacked, or compromised.
> >
> >
> > Option 2:
> > ---------
> > A honeypot is a resource operated to monitor the use by entities 
> > who are unauthorized, or have reason to believe they are
> unauthorized, 
> > to use those resources. 
> >
> >
> >
> > Do you have a preference for either defintion, a different
> > defintion, or perhaps a combination of the both?  If so, why?
> > Let us know.
> >
> > Thanks!
>
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>          !
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>                                                                      
>