Honeypots mailing list archives
RE: Usefulness of low-interaction honeypots.
From: "John C. Silvia" <john () cadamier com>
Date: Sat, 6 Sep 2003 13:41:43 -0700
From a pure expense perspective, setting up a honeypot is not a minor
expense - the time spent configuring the machine is what costs and what employers look at. Time is not free. Machines often are, thanks to upgrades. But consider that it takes MANY hours to setup a fully patched Windows system - unless you're setting up the newest version of something (which is rare) it takes at least 3 hours to setup a Windows box and patch it = and that's assuming you have a fast machine and an idle T1 to download windows updates with. Same goes with Red Hat and Debian disto's too. Older PC's are slower too. Preparing it to be a honeypot afterwards takes planning and baseline profiling as well, and then you've got to setup some kind of monitoring. That's the time investment and that's the expense. Agreed that there is little protection provided by a high interaction honeypot, but they do provide intel on what people are trying or doing. The problem is that the benefits of this type of protection have less tangible results than a low interaction device protecting the outside. Also, a properly implemented a low interaction honeypot will not block everyone that talks to it - just those who connect to it under certain circumstances. If someone scans me, my LIH will respond to service scans with a syn-ack - it's when I get a syn-ack back that I consider them possibly hostile. Of course, baiting them on a little further is always good too - letting them see a apache or winnt iis page is good, providing them an FTP or telnet login is better - but if they try a directory traversal or start doing anything more complex than getting the home page or logging in, then I'll block them. Your post subject was about the usefulness of LIH, and a compare/contrast of what they do - I guess in this case it's somewhat clear - LIH is more suited to proactive network defense while HIH are more suited to research and learning techniques used in the wild. Honeynets are useful to amplify the results, good or bad. -----Original Message----- From: Kostas K [mailto:acezerocool () yahoo com] Sent: Friday, September 05, 2003 3:16 PM To: honeypots () securityfocus com Subject: Re: Usefulness of low-interaction honeypots. In-Reply-To: <BEEOJPBFHHPOAIGIPIADAEEDCFAA.john () cadamier com> Hi, Is not really a comparison, is what each type offers. For instance, as you mentioned low-interaction honeypots are for identifying hostile IP addresses. Yes, it does but how can you be sure that it was the real attacker the one who attacked you and therefore you can't gather much data although this is not the main objective of low-interaction. In addition blocking IP addresses is not always a good way of facing attackers, as i said you may block someone that is not his/her fault and if you are attacked by multiple hosts it is very annoying to block an entire network block address. Do not forget that with the passive fingerprint is easy to understand if the environment is a real or fake. Low interaction either research or production have almost the same objective: alert administrator, scare away attackers. I agree where you say that low-interaction can operate as a "a firewall supplement". Regarding high-interaction honeypots and not a honeynet, in my opinion it is not so expensive or the return on investment is low for 3 main reasons. 1- You can use an old machine that is no use at the company. 2- It does not always need a public IP address. You can place it in a way that would help mitigate risk from LAN (since you mentioned that threats are from the insiders mostly) and Internet. 3- Not much monitoring, hence the data captured are max. 1MB per day. With high-interaction honeypots you are willing to learn more about the attack and not the identity of the attacker. You are not trying to catch attackers, this is not the aim neither the objective. Firewalls, IDSs (HBIDS or NBIDS), honeypots (low or high), routers with the ability of good security aspects, etc. are needed in a company (always depending on the size of it). The more weapons in your arsenal the better. Most of the managers believe that since we are not getting attacked why should we invest in honeypots or any other that will add value in our security? This is wrong, threats are still out there and with the use of some security weapons we can manage mitigate the risk. All of the companies can use high or low interaction honeypots, research or production according to their needs but it's very difficult to set up and maintain a honeynet. You need personel and other resources, it is not simple. Nevertheless, honeypots and honeynets have still much to prove. We are in the beginning of sth new and if we are carefull enough we may improve our networks' security. Regards Kostas In my opinion, I think that comparing low interaction honeypots with high interaction honeypots and then honeynets is in essence comparing two different points of view in terms of security and interpretation of collected data - Oranges Vs. Apples Vs. Pomegranates in this case. Using the right tool for your objective is important, but these tools have vastly different objectives. Low interaction honeypots are very useful for identifying hostile IP addresses - while not gaining the deeper specifics about the attack, they do provide you the ability to block a hostile IP address based upon the fact that they connected to your honeypot at all. By it's function alone, this type of honeypot is more suited to protect the Internet facing side of a network. Deploying this to block hostile IP's on the first sign of attack is a good defense strategy for your network as attackers will have to take a different approach on their attach or change IP addresses often. In terms of management costs, the "cost per blocked IP" of these solutions is very low - on par with the cost of operating a firewall. I like to think of low interaction honeypots as a firewall supplement. Honeyd is a good solution but requires manual setup and tuning - for those looking for lowest "cost per blocked IP" look at the ActiveScout. High interaction honeypots are tuned to the capture of hostile activity targeted at your network - a boon from the intelligence perspective, but this is a decidedly different method of protection. The return on investment with this type of protection is lower than what most companies can afford to spend these days - IDS management also suffers from this problem as well.
From my understanding, most security breeches are inside jobs these days,
and if that's true, then in my opinion high interaction honeypots are ideally suited to internal network protection. Performance isn't measurable by "cost per blocked IP" because it's trying to collect information and identify trespassers and not just blindly protect your network. There's also the issue of whether or not what you gain is usable - if you let outside traffic reach a high interaction honeypot, you may well gain some new rootkit learning, but will you identify the attacker or even catch them? or have a chance at stopping them from coming back? - Not likely on the Internet. Honeynets multiply the usefulness of any solution but if you're careless in your high-interaction setup, a honeynet would likely multiply your mistake(s), making it even easier for the attacker to realize that they're in a honeypot. For internal protection I think a high interaction honeypot is an investment that every large company should build. It can provide insight into who is messing with things they shouldn't, and it provides protection against inside hacks.
For external protection, a low interaction honeynet integrated with the
firewall can block more hostile activity than a firewall alone and it requires much less time investment to setup and manage.
Current thread:
- Usefulness of low-interaction honeypots. Kostas K (Sep 05)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 05)
- <Possible follow-ups>
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 06)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 06)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 07)
- Re: Usefulness of low-interaction honeypots. Lance Spitzner (Sep 07)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- RE: [inbox] Re: Usefulness of low-interaction honeypots. Curt Purdy (Sep 08)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 09)