Re: Honeypots: Uses and Features

[Geoffrey Shorter <geoffreyshorter () hotmail com>]

In-Reply-To: <Pine.LNX.4.44.0306021703490.20272-100000 () marge spitzner net>

Responding to Lance's call for what's important in honeypots, I hope the 
below is not too long... 

Most important:
1. Detection is by far most important for us. 

We are mostly concerned about attacks from inside our own organization, 
which numbers about 3,500 users on our LAN and 45,000 users over our WAN. 
This includes, in particular, IT Departments in remote physical locations 
that we have no contact with. We have Event Log monitors and (we think) 
reasonable security in place. But if someone with my abilities in a remote 
IT department gets disgruntled, that is what concerns me most. (We would 
like to install a firewall between our LAN and the WAN, but we are not 
allowed to do so yet.)

We want to detect unauthorized scans, probing, etc. We are setting up 
honeypots that we know correspond to the names of important servers around 
our organization. i.e., all our locations use the same major pieces of 
software. So, if we have a server named ARD_SQL that is a critical server 
for our the ARD application in our Accounts Receivable Department, it is 
likely that remote locations have the same or similarly named servers in 
their areas. 

This means we can guess what some of our most likely targets are. We're in 
the process of renaming these servers, and putting honeypots on our 
network named ARD_SQL and the like. In a way, this is almost like 
entrapment, but, then again, we're not the government...  ;) 

Within our local environment, the end-users do not necessarily know the 
name of the server they're connecting to. In many cases, the application 
knows how to connect, and the user doesn't. So, we can change the names of 
the servers, pointing the client-side application to the new server name, 
without even alerting the end-users that the name has changed. 

As long as our IT Department can keep this a secret, then we also 
essentially set up a trap for local disgruntled end-users who guess 
obvious server names. 

We are also preparing to set up honeypot Terminal Server emulators. We 
have 10 TS's in place now, numbered sequentially: BigServer01, 
BigServer02, etc. In the next few months, we plan to roll out 40 more TSs. 
We plan to put one honeypot sequentially in place for each 10 TSs. 
BigServer04, for example, is targeted to be replaced with a honeypot, 
broadcasting on the TS port, looking to trap people who might want to 
password-grind. A lot of end-users and IT personnel know the names of 
these TSs, so we feel 1 honeypot per 10 TSs is not overkill, since TSs 
tend to stick out with big red flags on em.

Second-most important feature of honeypots for us:
2. Proof of danger. Many people in our organization believe we are safe 
because of the firewall, anti-virus, etc. In particular, we are wanting to 
prove that internal threats exist. We have already seen a local machine 
attempting to log on to what was a sensitive financial server (before 
being turned into a honeypot by the same name!). And we have seen multiple 
clients attempting to access servers they are not authorized to access, 
based on the name (ARD_SQL, for example). So far, all the unauthorized 
access attempts have come from within our own LAN. We're still waiting for 
attempts across the WAN. Once we get some attempts from the WAN, then 
we'll make another run at the "people in charge" for allowing a firewall 
between our LAN and the WAN.

Third most important feature:
3. Ease of use. We must have something that takes little time to 
administer on a daily basis. Limited number of administrators, large 
number of security issues to cover.

We're in a production environment, so research honeypots are way beyond 
our abilities to manage at work, altho I will probably end up deploying 
one at home in my spare time ...  :)

This is really interesting stuff. Great book by the way, thanks!

Geof

> From: Lance Spitzner <lance () honeynet org>
> To: honeypots () securityfocus com
> Subject: Honeypots: Uses and Features
>
> One of the things that defining honeypots demonstrated for
> us was that honeypots come in MANY shapes and sizes, they
> can accomplish many different goals.  This got me wondering,
> what are individuals and organizations using honeypots
> for, what features or capabilities do you consider the
> most important?
>
> If you have a moment, post what capabilities you feel
> are the most important, and why.   My intent here is 
> not only can we share ideas, but this discussion can
> potentially help the development of honeypots in general.
>
>
> Thoughts?
>
> -- 
> Lance Spitzner
> http://www.tracking-hackers.com