RE: tiered or tuned honeynets

[<Glenn_Everhart () bankone com>]

One more bit I should mention about the system described below.
I finished implementing it in 1995 and described the technology at
public events starting around then. It was published freely around
1998 when I gave up on the idea of selling it. I don't recall the
exact date but can find it on records of the publication, with the
documents and the code. I consider the idea to be in the public domain
now, though it is possible someone might try to patent it after the
fact. Unless such patent was applied for over 8 years back, it is
preceded by my publications of the technology. I published so that
folks could use the ideas.

Glenn Everhart


-----Original Message-----
From: Everhart, Glenn (Card Services) 
Sent: Tuesday, July 01, 2003 4:04 PM
To: MaxK () symresources com; honeypots () securityfocus com
Subject: RE: tiered or tuned honeynets


This concept could perhaps fool attackers, but wherever I've tried to implement
"deep" deception sites, they became difficult to maintain as believable ones.
The old adage "Oh, what a tangled web we weave, when first we practice to deceive."
applies.

A system I developed some time ago allows an interesting variation, though. The
software has a "data hiding" facility that will do extended access checks in
deciding whether someone should be able to access a dataset. This can include
things like source location and time, user, program being used to access the
data, whether the accessing process has a password to the dataset, or a some
other characteristics. One of the options in case access to the dataset is to
be denied is that the system can, invisibly, open a separate and different
dataset instead of the one the intruder thinks he is opening, and present
that to him. This occurs basically instantly...the delay is much smaller than
the normal open time...and the alternate dataset then gets accessed as though
it had been the original.

This in effect hides the real valuable data, but also can provide decoy data
to fascinate the intruder. The attractive feature of such a system is that
it can be set to protect the valuable data on a box while leaving all the
real trappings around. Sometimes after all your attackers are not from outside
but may be internal spies. It does not keep random people off your real boxes
totally, but can make their lives interesting. I should add that one of the
other characteristics my system allows is to recognize when someone has too
many privileges, so that someone with excess privileges may be discriminated
against. (This is the opposite of the usual behavior, but someone who breaks
into a box is likely to want to be exploring it with super privs active, where
normally this would never occur. It can be a good discriminator.

The code is described further over at http://users.rcn.com/gce if anyone's
interested. It is freely available now.

This is a sometimes useful substitute for a totally separate network of honeypots
and might be beneficial where someone finds part of your real network.

Glenn C. Everhart


-----Original Message-----
From: Max Kilger [mailto:MaxK () symresources com]
Sent: Tuesday, July 01, 2003 2:07 PM
To: 'honeypots () securityfocus com'
Subject: tiered or tuned honeynets


Someone mentioned trying to find out more about the concept of tiered or
tuned honeynets.  Since I'm the one who coined the term "tuned honeynet"
I'll try to elucidate just a bit.

Tradionally when people have discussed creating honeynets with substantive
content they have focused on one particular, single theme - for example
putting up an ecommerce server with the honeynet to look for carders.  The
basic idea behind a tuned honeynet is to develop a honeynet or honeynets
where you create an ecosystem of different types of cascading,serially
discovered potential targets (ecommerce, technical database, email server,
server with military-related files) and by encouraging the attacker to
explore these differentially themed honeypots in a serial mode you can
attract/repel them into differentially motivated bins (e.g.honeypots)- sort
of like a sieve...

I'm purposedly being a bit vague here but you should get the general
principle...

Cheers,

Max Kilger, Ph.D.
Social Psychologist
Honeynet Projec


**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************