RE: Introducing the Tactical Honeynet Deployment Project

["Dan Hawrylkiw" <dh () ahpra org>]

I'm glad to see any advancement in honeynets and agree that more
deceptive boxes make it less likely that an advanced blackhat will
'bail'.  However, I think there are three requirements for capturing
advanced activity- Location, Location, and Location..

Advanced blackhats aren't interested in collecting rooted boxes.  They
are interested in information.  What this means is that they will be
looking for concentrations of valuable information.  Where?- Probably
high profile netblocks and/or production servers.  Advanced blackhats
will probably only use a host found through random scanning as a
jumping-off point.  The reality is that they probably won't root a
random box any differently than a script-kiddie.  While it would be
interesting to see how a jump point was used by an advanced black-hat, I
wouldn't want to touch the potential legal issues of being a middle-man
in a theft of over 100K credit card numbers. 

I have seen *somewhat* more interesting activity (such as defacement
attempts) on honeypots used to offload attacks from internet facing web
or mail servers.  These honeypots can be used to 'protect' production
systems from real attacks, which is legally plausible.  Merely
monitoring the attacker's activity is legally unclear, and big players
with more to lose are less likely to be interested in playing.  With
that said- If the legal issues weren't there, I think the most
interesting captures would come from honeynets that looked like
backdoors into an organization's internal network.

/Dan Hawrylkiw
Phoenix Area Network Intrusion Research Alliance

Honeypot:  
   noun; Online multiplayer role-playing game; where only one party
knows who is playing.

  

-----Original Message-----
From: Michael Anuzis [mailto:michael_anuzis () hotmail com] 
Sent: Saturday, August 30, 2003 11:32 AM
To: honeypots () securityfocus com
Subject: Introducing the Tactical Honeynet Deployment Project


Dear honeynet community,
This e-mail is to inform anyone interested of the establishment of the 
Tactical Honeynet Deployment Project ( http://www.thdp.org ).

Currently there are several honeynet and honeypot projects in existance
and 
I think everyone would agree with me if I said: "it seems like the last 
thing the honeynet research community needs is another project doing the

same old thing..." but at the same time I think we can each agree
honeynet 
research has been struggling as of late. Something has been missing. 
Script-kids are the only ones getting "caught", or "biting the bait" so
to 
speak. The Tactical Honeynet Deployment Project, with a complete focus
on 
the concepts of deception, psychology, and control, hopes to transform
the 
honeypot from a tool hacked only by neophyte script-kids, to a more
advanced 
system of deployment that will be capable of studying the more
sophisticated 
class of blackhats.

As of now, our project is just being established and we have very few 
members. For this reason, if you have been in the study of honeynet
research 
for a while and are ready to take your honeynet designs to the next
level, 
we would be interested in sharing your insights in our project's pages.

If our project's website (available at http://www.thdp.org) sounds like 
something you would be interested in participating in, it would be a
great 
opportunity for us to work together in making today's limited honeynet 
implementations into something more.

Regards,

Michael Anuzis, CCNA
Network Security Consultant
Mobile: 248.376.7030
CTO, Advanced DataTactics, Inc.
CTO, Advanced InfoTactics, Inc.
Project Coordinator: http://www.thdp.org

_________________________________________________________________
Get MSN 8 and help protect your children with advanced parental
controls.  
http://join.msn.com/?page=features/parental