Re: Introducing the Tactical Honeynet Deployment Project

[Chris Brenton <cbrenton () chrisbrenton org>]

Tom Britten wrote:
>
> The other part of
> the solution does lie in convincing them that this is a real valuable host.

One of the tricks I like to play is to give the box some menial 
production role, say a secondary name server. This gets the host out 
there as being a legit system, quiets people's nerves about "entrapment" 
issues, and does it on a box that if you need to bring it down it has 
minimal impact on production (note: don't do this with your one and only 
secondary NS ;-)

>     Further more, a lot of blackhats are doing the same research that we are
> but in reverse.  And this affects the type of hosts that they attack, as in
> they aren't looking for a machine that every possible exploit on it. 

Its a numbers game. The same way there are tons of people on the white 
hat side, but only a small subset that really know their stuff, there 
are few true black hats compared to all the script kiddie noise. I 
believe this is why Lance has pushed so hard to grow the Honeynet. The 
more sensors/honeypots out there and the more diverse the landscape they 
are installed on, the more likely it is that you will tag something 
interesting.

> These
> are people building there own exploits or discovering ones that we don't yet
> know about. My two cents. ^_^

But that does not mean people are not finding them.

Look at it this way, let's say security professional Billy Bob Fubar 
sets up a honeypot that gets hit with a 0-day. They reverse engineer it 
and figure out how the black hat got in. Now they have two choices:
1) Release the exploit info and take credit for the find
2) Release the exploit and give credit to the black hat

If Billy Bob Fubar goes with option #1 it brings him respect within the 
community and its not like the black hat is going to stand up and say 
"Hey he didn't find that, I've been whacking systems with that exploit 
for years!".

So while it may *seem* like honeypots are only catching the noise, that 
may not necessarily always be the case.

>     The last comment I would make is that most of the things that set people
> off about whether or not a system is real is almost impossible to hide.  The
> only way to truly do this would be to build a new distro that has all the
> features in it, for it is very difficult to transform a current distro.
> Start with LFS and slowly work your way up adding bogus commands and
> services. 

Depends on what you are trying to achieve. The way I see it, there are 
three categories you can analyze here:
1) How did they break in?
2) How did they root the box?
3) What is their motivation?

If the box is bogus but you can't tell till you get in, you will still 
catch #1. If you are going for #2, you are right. The box has to look 
legit. As for #3, you typically need to have them playing on the box for 
a while to figure this one out. To be honest, I think the great work 
done by Lance and others has done a wonderful job of already answering 
that one.

So from my perspective, the most important category (how are they 
breaking in?) will still get caught even if the system does not look 
"perfect". so long as the system fingerprints properly and the banners 
look legit, you are cooking with gas.

HTH,
C