RE: Usefulness of low-interaction honeypots.

["John C. Silvia" <john () cadamier com>]

In my opinion, I think that comparing low interaction honeypots with high
interaction honeypots and then honeynets is in essence comparing two
different points of view in terms of security and interpretation of
collected data - Oranges Vs. Apples Vs. Pomegranates in this case.  Using
the right tool for your objective is important, but these tools have vastly
different objectives.

Low interaction honeypots are very useful for identifying hostile IP
addresses - while not gaining the deeper specifics about the attack, they do
provide you the ability to block a hostile IP address based upon the fact
that they connected to your honeypot at all.  By it's function alone, this
type of honeypot is more suited to protect the Internet facing side of a
network.  Deploying this to block hostile IP's on the first sign of attack
is a good defense strategy for your network as attackers will have to take a
different approach on their attach or change IP addresses often.  In terms
of management costs, the "cost per blocked IP" of these solutions is very
low - on par with the cost of operating a firewall.  I like to think of low
interaction honeypots as a firewall supplement.  Honeyd is a good solution
but requires manual setup and tuning - for those looking for lowest "cost
per blocked IP" look at the ActiveScout.

High interaction honeypots are tuned to the capture of hostile activity
targeted at your network - a boon from the intelligence perspective, but
this is a decidedly different method of protection.  The return on
investment with this type of protection is lower than what most companies
can afford to spend these days - IDS management also suffers from this
problem as well.

> From my understanding, most security breeches are inside jobs these days,
and if that's true, then in my opinion high interaction honeypots are
ideally suited to internal network protection.  Performance isn't measurable
by "cost per blocked IP" because it's trying to collect information and
identify trespassers and not just blindly protect your network.  There's
also the issue of whether or not what you gain is usable - if you let
outside traffic reach a high interaction honeypot, you may well gain some
new rootkit learning, but will you identify the attacker or even catch them?
or have a chance at stopping them from coming back?  - Not likely on the
Internet.

Honeynets multiply the usefulness of any solution but if you're careless in
your high-interaction setup, a honeynet would likely multiply your
mistake(s), making it even easier for the attacker to realize that they're
in a honeypot.

For internal protection I think a high interaction honeypot is an investment
that every large company should build.  It can provide insight into who is
messing with things they shouldn't, and it provides protection against
inside hacks.

For external protection, a low interaction honeynet integrated with the
firewall can block more hostile activity than a firewall alone and it
requires much less time investment to setup and manage.

-----Original Message-----
From: Kostas K [mailto:acezerocool () yahoo com]
Sent: Friday, September 05, 2003 5:20 AM
To: honeypots () securityfocus com
Subject: Usefulness of low-interaction honeypots.

Hi list,

 I am currently working on a project. The project is divided in three
parts/experiments.
-Deployment of a low interaction honeypot
-Deployment of a high interaction honeypot
-Deployment of a honeynet
Most of you know the pros and cons of low-interaction honeypots.
I have finished with the first one and i have reached to some
conclusions. Low risk "low" results. Meaning that low-interaction
honeypots are in a way useless. The reason for saying that is even if you
are attacked you can't harvest enough data in order to understand
their 'modus operandi' (style of work, type of attack, etc.). Maybe you
get attackers' ip addresses but this is never enough, thus it's useless
too, because: Did it harm your system? No, how could be it's a fake
service, it's a fake O/S etc. seems to be a reasonable answer!!! Since,
how can accuse someone that did not harm your system?

> From a homemade low interaction to a commercial one is difficult to
harvest enough, hence there is a high possibility of being exposed to the
attacker. In case the attacker is aware of TCP/IP signatures and can work
with snort or Tcpdump then he/she will probably realise what's behind the
scenes.
It's really what they say 'sit back and relax' while you are under
attack, however there in nothing much you can do. This is the real
problem with low-interaction honeypots.

As soon as i finish with the second experiment i will post my opinion for
those as well. Besides i am only expressing an opinion nothing more!
 Because is a research based project for my dissertation i read much
about honeypots and honeynets but i believe few. I am trying to discover
on my own what's going on. The only thing i can rely is the way a
honeypot can be built, maintained and deployed but again you can
improvise, which seems to be the best.


Regards

Kostas