RE: deceptive content on honeypots

["Richard La Bella \(Florida Honeynet\)" <richard () sfhn org>]

Jeremy and all,



The answer to your question is yes. The South Florida Honeynet Project now
the Florida Honeynet Project at http://www.floridahoneynet.org is moving
full force to plan, implement, and deploy what we are calling the Covert
Honeynet Initiative.



What is a covert honeynet?

A covert honeynet is a high value honeynet designed to look, feel, and
behave like a valid resource or organization. This means we must build and
deploy a true environment that parallels the general requirements one might
find within their own organization. For example, a web farm, a back end
database, an enterprise mail server, syslog server, routing, switching, an
FTP daemon, an SSH server and the list goes on. All these hosts will be
populated with data that is in line with the organization we deploy. On May
1, 2003 we will announce a separate site dedicated to the Covert Honeynet
Initiative. This site will document and share the lessons we learn
throughout the whole process. It's geared toward helping others build
similar environments.



How will this get done?

We have recently partnered with an organization that specializes in secure
collocation and monitoring. This partnership will drive the Covert Honeynet
Initiative. Key individuals of that organization and our Project will
contribute their skills and technological resources to support this effort.
We couldn't have done it any other way and are please to have everyone
involved.



Since September 2001, the Florida Honeynet Project has been deploying
research honeynets using a home DSL line. The home DSL line will go away
this week. Through our partnership we will have a second tier backbone
presence using a partial or full DS-1 circuit and a larger allocated scope
of IP addresses. An ARIN look up of our scope will reflect our organization
as will a corporate search of our organization at the state level too. The
goal is to remain covert. And using the tools developed and tested by the
Honeynet Project, http://www.honeynet.org/papers/honeynet/tools/ and the
Honeynet Research Alliacne, http://www.honeynet.org/alliance is the best way
for us pull this off successfully.



When will this get done?

Planning and implementation has begun for the foundation required to support
the covert honeynet. Go live is expected by years end or first quarter of
2004.





Thanks for remembering the presentation Jeff Dell and I gave in Las Vegas.
If anyone has any questions, comments, or suggestions regarding this effort
you can send correspondence to covert () floridahoneynet org.





Cheers,



Richard La Bella


Florida Honeynet Project
http://www.floridahoneynet.org
richard () floridahoneynet org