RE: Usefulness of low-interaction honeypots.

["John C. Silvia" <john () cadamier com>]

> From a pure expense perspective, setting up a honeypot is not a minor
expense - the time spent configuring the machine is what costs and what
employers look at.  Time is not free.  Machines often are, thanks to
upgrades.

But consider that it takes MANY hours to setup a fully patched Windows
system - unless you're setting up the newest version of something (which is
rare) it takes at least 3 hours to setup a Windows box and patch it = and
that's assuming you have a fast machine and an idle T1 to download windows
updates with.  Same goes with Red Hat and Debian disto's too.  Older PC's
are slower too.  Preparing it to be a honeypot afterwards takes planning and
baseline profiling as well, and then you've got to setup some kind of
monitoring.  That's the time investment and that's the expense.

Agreed that there is little protection provided by a high interaction
honeypot, but they do provide intel on what people are trying or doing.  The
problem is that the benefits of this type of protection have less tangible
results than a low interaction device protecting the outside.

Also, a properly implemented a low interaction honeypot will not block
everyone that talks to it - just those who connect to it under certain
circumstances.  If someone scans me, my LIH will respond to service scans
with a syn-ack - it's when I get a syn-ack back that I consider them
possibly hostile.  Of course, baiting them on a little further is always
good too - letting them see a apache or winnt iis page is good, providing
them an FTP or telnet login is better - but if they try a directory
traversal or start doing anything more complex than getting the home page or
logging in, then I'll block them.

Your post subject was about the usefulness of LIH, and a compare/contrast of
what they do - I guess in this case it's somewhat clear - LIH is more suited
to proactive network defense while HIH are more suited to research and
learning techniques used in the wild.  Honeynets are useful to amplify the
results, good or bad.

-----Original Message-----
From: Kostas K [mailto:acezerocool () yahoo com]
Sent: Friday, September 05, 2003 3:16 PM
To: honeypots () securityfocus com
Subject: Re: Usefulness of low-interaction honeypots.


In-Reply-To: <BEEOJPBFHHPOAIGIPIADAEEDCFAA.john () cadamier com>

Hi,

Is not really a comparison, is what each type offers. For instance, as
you mentioned low-interaction honeypots are for identifying hostile IP
addresses. Yes, it does but how can you be sure that it was the real
attacker the one who attacked you and therefore you can't gather much
data although this is not the main objective of low-interaction. In
addition blocking IP addresses is not always a good way of facing
attackers, as i said you may block someone that is not his/her fault and
if you are attacked by multiple hosts it is very annoying to block an
entire network block address. Do not forget that with the passive
fingerprint is easy to understand if the environment is a real or fake.
Low interaction either research or production have almost the same
objective: alert administrator, scare away attackers. I agree where you
say that low-interaction can operate as a "a firewall supplement".

Regarding high-interaction honeypots and not a honeynet, in my opinion it
is not so expensive or the return on investment is low for 3 main reasons.
1- You can use an old machine that is no use at the company.
2- It does not always need a public IP address. You can place it in a way
that would help mitigate risk from LAN (since you mentioned that threats
are from the insiders mostly) and Internet.
3- Not much monitoring, hence the data captured are max. 1MB per day.

With high-interaction honeypots you are willing to learn more about the
attack and not the identity of the attacker. You are not trying to catch
attackers, this is not the aim neither the objective.
Firewalls, IDSs (HBIDS or NBIDS), honeypots (low or high), routers with
the ability of good security aspects, etc. are needed in a company
(always depending on the size of it). The more weapons in your arsenal
the better. Most of the managers believe that since we are not getting
attacked why should we invest in honeypots or any other that will add
value in our security? This is wrong, threats are still out there and
with the use of some security weapons we can manage mitigate the risk.
All of the companies can use high or low interaction honeypots, research
or production according to their needs but it's very difficult to set up
and maintain a honeynet. You need personel and other resources, it is not
simple.

Nevertheless, honeypots and honeynets have still much to prove. We are in
the beginning of sth new and if we are carefull enough we may improve our
networks' security.


Regards

Kostas


In my opinion, I think that comparing low interaction honeypots with high
interaction honeypots and then honeynets is in essence comparing two
different points of view in terms of security and interpretation of
collected data - Oranges Vs. Apples Vs. Pomegranates in this case.  Using
the right tool for your objective is important, but these tools have
vastly
different objectives.

Low interaction honeypots are very useful for identifying hostile IP
addresses - while not gaining the deeper specifics about the attack, they
do
provide you the ability to block a hostile IP address based upon the fact
that they connected to your honeypot at all.  By it's function alone, this
type of honeypot is more suited to protect the Internet facing side of a
network.  Deploying this to block hostile IP's on the first sign of attack
is a good defense strategy for your network as attackers will have to
take a
different approach on their attach or change IP addresses often.  In terms
of management costs, the "cost per blocked IP" of these solutions is very
low - on par with the cost of operating a firewall.  I like to think of
low
interaction honeypots as a firewall supplement.  Honeyd is a good solution
but requires manual setup and tuning - for those looking for lowest "cost
per blocked IP" look at the ActiveScout.

High interaction honeypots are tuned to the capture of hostile activity
targeted at your network - a boon from the intelligence perspective, but
this is a decidedly different method of protection.  The return on
investment with this type of protection is lower than what most companies
can afford to spend these days - IDS management also suffers from this
problem as well.

> From my understanding, most security breeches are inside jobs these days,
and if that's true, then in my opinion high interaction honeypots are
ideally suited to internal network protection.  Performance isn't
measurable
by "cost per blocked IP" because it's trying to collect information and
identify trespassers and not just blindly protect your network.  There's
also the issue of whether or not what you gain is usable - if you let
outside traffic reach a high interaction honeypot, you may well gain some
new rootkit learning, but will you identify the attacker or even catch
them?
or have a chance at stopping them from coming back?  - Not likely on the
Internet.

Honeynets multiply the usefulness of any solution but if you're careless
in
your high-interaction setup, a honeynet would likely multiply your
mistake(s), making it even easier for the attacker to realize that they're
in a honeypot.

For internal protection I think a high interaction honeypot is an
investment
that every large company should build.  It can provide insight into who is
messing with things they shouldn't, and it provides protection against
inside hacks.

> For external protection, a low interaction honeynet integrated with the
firewall can block more hostile activity than a firewall alone and it
requires much less time investment to setup and manage.