Re: Heisenberg in the honeypot

[Valdis.Kletnieks () vt edu]

On Sun, 20 Jun 2004 11:13:16 PDT, Harlan Carvey said:
> The HUP really doesn't have anything to do with
> altering an attack.  What I'm looking at is...if
> someone knows that honeypots are out there, are they
> going to try using their 0-day attacks, unless they
> are relatively sure that a honeypot is not on the
> network?

It's probably fairly safe to assume that if they're enough out of the
ankle-biter stage to have laid hands on an actual 0-day, they've got enough
smarts to do some reconnaissance of their target.  So expect a more tailored
attack - first some NON 0-days against what appear to be desktop boxes (and
hope the site hasn't patched) to establish a beachhead, and then figure out
which boxes are the real target.  As a result, you probably won't see a 0-day
on your honeypot unless it's realistic enough to fool somebody (and at that
point, you probably need to worry about it attracting false-positive hits from
your own confused users...)

Consider that we're seeing worm probes on the order of "every machine on the
net gets probed every few minutes" - but the number of times that honeypots
have actually nailed a zero-day is low enough that we can cite the papers they
result in (like Lance's "Know Your Enemy"...),  I have to conclude that the
honeypots are only nailing black hats when they're tired/distracted/sloppy...

Of course, that's just my opinion, and I could be even more full of manure than
usual... ;)

Attachment: _bin
Description: