Honeypots mailing list archives
Re: Heisenberg in the honeypot
From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 22 Jun 2004 09:58:31 -0700 (PDT)
Maybe I'm entirely missing the point of honeypots/honeynets, but isn't a successful implementation meant to be transparent to an outside hacker?
You're right...that's the case. However, there are advertised honeypots...many folks are aware of the HoneyNet project. Also, I've received more than on email (directly, not to the list) from individuals stating that they have honeypots that (essentially) aren't configured properly. Meant be transparent, yes...but firewalls, IDS, and anti-virus software are meant to do certain things, too...things they can't do if they're not configured and maintained properly.
If this is the case, in truth any hacker could never possibly know if he/she/it is in a honeypot or on a legitimate business host.
At this point, I really think we're getting into semantics, which is something I want to avoid. Suffice to say, if I were to discover a unique exploit or technique, and I had malicious intent, I would avoid using that technique on networks/targets that I was not relatively sure did NOT have well-managed and well-maintained honeypots.
While it's true that no security system can ever truly be complete, honeypots present for beleaguered system administrators an opportunity to witness attack vectors in situ and allow them the ability to recognize these attacks
Again, we're getting into semantics, but I have to ask...if the sysadmin is "beleaguered" as you describe, then how can that sysadmin be expected to properly manage a honeypot, and then understand what its telling him? To me, "beleaguered" refers to over-tasked, under-trained admins who can't monitor even just their critical systems on a regular basis, let alone set up and manage an entirely new system.
It seems, to me at least, that while observation may in fact change the event in some way, it is no less worthwhile to witness the methods that attackers may use to infiltrate personal or company systems so as to be better prepared to deal with those attacks should they come.
I agree with you, to some extent. However, I'm not entirely sure I see how useful a honeypot is if admins don't know (for example) what failed login attempts look like in the Windows Security Event Log. But that's not really my point. What I'm asking pertains more to zero-days...I've got something entirely new, not just a variation on something that's already been done. If I truly intend to target an organization with the intent of using my exploit to gain access to information, I (personally) would want to do so with some reasonable assurance I wouldn't get caught...reduce the risk. A disgruntled employee might use a 0-day against a former employer...having knowledge of the infrastructure. There are plenty of non-technical means of getting information that would lead you to believe (with a reasonable level of certainty) what the level of security (devices in place, knowledge level of the staff, etc) of the target. Another way of putting it is this...we see wide spread attacks by automated worms all the time, right? A vulnerability is announced/described and at some point, a worm (or some other exploit) appears...right? By definition, that's not a zero-day...the vulnerability has already been announced, and in many cases, a patch (or some other mitigation mechanism) has already been provided. In a lot of cases, we'll see announcements of new worms, but that new worm takes advantage of already-patched vulnerabilities (Code Red, etc.). Now, go back to my original post..."what kind of things are we really seeing in the honeypots?" Are 0-days being detected?
Current thread:
- RE: Heisenberg in the honeypot, (continued)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot PCSage Information Services (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)