Honeypots mailing list archives
RE: Usefulness of low-interaction honeypots.
From: "John C. Silvia" <john () cadamier com>
Date: Fri, 5 Sep 2003 10:28:27 -0700
In my opinion, I think that comparing low interaction honeypots with high interaction honeypots and then honeynets is in essence comparing two different points of view in terms of security and interpretation of collected data - Oranges Vs. Apples Vs. Pomegranates in this case. Using the right tool for your objective is important, but these tools have vastly different objectives. Low interaction honeypots are very useful for identifying hostile IP addresses - while not gaining the deeper specifics about the attack, they do provide you the ability to block a hostile IP address based upon the fact that they connected to your honeypot at all. By it's function alone, this type of honeypot is more suited to protect the Internet facing side of a network. Deploying this to block hostile IP's on the first sign of attack is a good defense strategy for your network as attackers will have to take a different approach on their attach or change IP addresses often. In terms of management costs, the "cost per blocked IP" of these solutions is very low - on par with the cost of operating a firewall. I like to think of low interaction honeypots as a firewall supplement. Honeyd is a good solution but requires manual setup and tuning - for those looking for lowest "cost per blocked IP" look at the ActiveScout. High interaction honeypots are tuned to the capture of hostile activity targeted at your network - a boon from the intelligence perspective, but this is a decidedly different method of protection. The return on investment with this type of protection is lower than what most companies can afford to spend these days - IDS management also suffers from this problem as well.
From my understanding, most security breeches are inside jobs these days,
and if that's true, then in my opinion high interaction honeypots are ideally suited to internal network protection. Performance isn't measurable by "cost per blocked IP" because it's trying to collect information and identify trespassers and not just blindly protect your network. There's also the issue of whether or not what you gain is usable - if you let outside traffic reach a high interaction honeypot, you may well gain some new rootkit learning, but will you identify the attacker or even catch them? or have a chance at stopping them from coming back? - Not likely on the Internet. Honeynets multiply the usefulness of any solution but if you're careless in your high-interaction setup, a honeynet would likely multiply your mistake(s), making it even easier for the attacker to realize that they're in a honeypot. For internal protection I think a high interaction honeypot is an investment that every large company should build. It can provide insight into who is messing with things they shouldn't, and it provides protection against inside hacks. For external protection, a low interaction honeynet integrated with the firewall can block more hostile activity than a firewall alone and it requires much less time investment to setup and manage. -----Original Message----- From: Kostas K [mailto:acezerocool () yahoo com] Sent: Friday, September 05, 2003 5:20 AM To: honeypots () securityfocus com Subject: Usefulness of low-interaction honeypots. Hi list, I am currently working on a project. The project is divided in three parts/experiments. -Deployment of a low interaction honeypot -Deployment of a high interaction honeypot -Deployment of a honeynet Most of you know the pros and cons of low-interaction honeypots. I have finished with the first one and i have reached to some conclusions. Low risk "low" results. Meaning that low-interaction honeypots are in a way useless. The reason for saying that is even if you are attacked you can't harvest enough data in order to understand their 'modus operandi' (style of work, type of attack, etc.). Maybe you get attackers' ip addresses but this is never enough, thus it's useless too, because: Did it harm your system? No, how could be it's a fake service, it's a fake O/S etc. seems to be a reasonable answer!!! Since, how can accuse someone that did not harm your system?
From a homemade low interaction to a commercial one is difficult to
harvest enough, hence there is a high possibility of being exposed to the attacker. In case the attacker is aware of TCP/IP signatures and can work with snort or Tcpdump then he/she will probably realise what's behind the scenes. It's really what they say 'sit back and relax' while you are under attack, however there in nothing much you can do. This is the real problem with low-interaction honeypots. As soon as i finish with the second experiment i will post my opinion for those as well. Besides i am only expressing an opinion nothing more! Because is a research based project for my dissertation i read much about honeypots and honeynets but i believe few. I am trying to discover on my own what's going on. The only thing i can rely is the way a honeypot can be built, maintained and deployed but again you can improvise, which seems to be the best. Regards Kostas
Current thread:
- Usefulness of low-interaction honeypots. Kostas K (Sep 05)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 05)
- <Possible follow-ups>
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 06)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 06)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 07)
- Re: Usefulness of low-interaction honeypots. Lance Spitzner (Sep 07)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- RE: [inbox] Re: Usefulness of low-interaction honeypots. Curt Purdy (Sep 08)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 09)