Honeypots mailing list archives
Re: Minefields
From: MrDemeanour <mrdemeanour () jackpot uk net>
Date: Wed, 23 Jun 2004 10:20:45 +0100
Lance Spitzner wrote:
The problem with that is most individuals cannot deploy honeypots of perceived high value, usually only organizations can. I personally can create a honeypot that appears to be a TopSecret R&D server for the latest encryption, or build a online banking system, however how long will that perception last when its sitting off dsl.speakeasy.net?
However many people within organisations now work from home on DSL connections. This applies to R&D types as well; many people in my organisation use Microsoft PPTP from home to connect to CVS and VSS source-code repositories, database servers and even to systems related to accounting systems, such as CRM and order-tracking systems. I'm sure we aren't unique; not everyone connecting from home is just checking their Exchange email. (I understand that we will shortly be obsoleting MS PPTP in favour of a more secure tunneling technology!)
I feel that some of the best opportunities for honeypots to capture advanced threats is honeypots not deployed by individuals, but by organizations.
Well, suppose I'm in an organisation, but I work from home. Since my internet connection is probably protected by nothing better than a domestic-grade firewall - perhaps a NAT router, perhaps just ZoneAlarm - it amounts to "low-hanging fruit". Once inside my home network, it would fairly quickly become apparent whether my systems are capable of connecting to corporate resources - the presence of multiple PPTP connectoids, specialised client programs, the very fact that there's a network behind the firewall, rather than a single games machine. Such a home network has other properties that would make it hard to discriminate a honeypot. It would be unusual for other corporate users to rely on servers located in a home DSL network accessible only via a tunnel, so you wouldn't expect to see "typical" corporate-type user traffic; you probably wouldn't see that much network-level traffic either, if the corporate sysadmins have done the right thing, and blocked most of that kind of traffic from propagating through the tunnels.
This brings me to my third (and final) thought. In reference to detection, I highly doubt we will ever create a honeypot that is impossible to detect. Attackers that have the skills or tools, andare looking, will eventually fingerprint your honeypot. The key to the game is to make the honeypot hard enough to detect, so when the bad guy does detect it, its too late for them.
See my earlier comment - surely *any* system can be a honeypot, if the admin expects it to be attacked, and has a plan for analysing the attack after the fact? Not all honeypots are running specialised honeypot software, and not all honeypots have a fingerprint. -- Jack.
Current thread:
- Re: Heisenberg in the honeypot, (continued)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 21)
- Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
- Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Minefields Lance Spitzner (Jun 22)
- Re: Minefields MrDemeanour (Jun 23)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)