Honeypots mailing list archives

Re: Heisenberg in the honeypot

From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Mon, 21 Jun 2004 15:10:50 -0700

* Harlan Carvey (keydet89 () yahoo com) wrote:

It is an interesting mental exercise, and I have a
dual response:

        0. I do not see how HUP applies to
Honeypots/Honeynets. How do you 
alter an 
attack by capturing/observing it in realtime or at a
later time using Honeypots?


The HUP really doesn't have anything to do with
altering an attack.  What I'm looking at is...if
someone knows that honeypots are out there, are they
going to try using their 0-day attacks, unless they
are relatively sure that a honeypot is not on the
network?


IMHO, there are various kinds of targets
1) Unprotected targets
2) Protected targets, no surveillance.
3) Protected targets, with surveillance.
4) Honeypots a.k.a. "protected" "targets" with surveillance.

#1 and #2 are ideal targets, cos without surveillance, the attacker does
not show his/her cards i.e. the 0-day exploit details remain a secret.

An exploit known only to oneself has a far higher value as compared to
one known to others.

Now, from the point of view of an attacker, #3 and #4 are identical in terms
of loss of stealth coverage, cos the exploit details are being recorded
for further study.

#3 and #4 both represent a loss of equal magnitude to an attacker, and hence
there is no rationale for an attacker to seperate one from the other. That
would only be wasted energy without any useful payback. Moreover, since most
attacks would be automated, in order to net as many zombies as possible, the
opportunity to weed out honeypots by hand is probably not present or usable.

On the other hand, if the attacker could automatically avoid all systems with
*surveillance*, then THAT effort has a huge payback i.e. continued
secrecy of the details of the 0-day exploit.

Executive Summary :D
--------------------
Only the surveillance aspect is important to an attacker.

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.

Current thread:

Heisenberg in the honeypot H Carvey (Jun 19)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 21)
    - Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
  - Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Minefields Lance Spitzner (Jun 22)
    - Re: Minefields MrDemeanour (Jun 23)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
  - RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)

(Thread continues...)