Re: Minefields

[MrDemeanour <mrdemeanour () jackpot uk net>]

Lance Spitzner wrote:

> The problem with that is most individuals cannot deploy honeypots of
> perceived high value, usually only organizations can.  I personally
> can create a honeypot that appears to be a TopSecret R&D server for
> the latest encryption, or build a online banking system, however how
> long will that perception last when its sitting off
> dsl.speakeasy.net?

However many people within organisations now work from home on DSL
connections. This applies to R&D types as well; many people in my
organisation use Microsoft PPTP from home to connect to CVS and VSS
source-code repositories, database servers and even to systems related
to accounting systems, such as CRM and order-tracking systems. I'm sure
we aren't unique; not everyone connecting from home is just checking
their Exchange email.

(I understand that we will shortly be obsoleting MS PPTP in favour of a
more secure tunneling technology!)

> I feel that some of the best opportunities for honeypots to capture
> advanced threats is honeypots not deployed by individuals, but by
> organizations.

Well, suppose I'm in an organisation, but I work from home. Since my
internet connection is probably protected by nothing better than a
domestic-grade firewall - perhaps a NAT router, perhaps just ZoneAlarm -
it amounts to "low-hanging fruit". Once inside my home network, it would
fairly quickly become apparent whether my systems are capable of
connecting to corporate resources - the presence of multiple PPTP
connectoids, specialised client programs, the very fact that there's a
network behind the firewall, rather than a single games machine.

Such a home network has other properties that would make it hard to
discriminate a honeypot. It would be unusual for other corporate users
to rely on servers located in a home DSL network accessible only via a
tunnel, so you wouldn't expect to see "typical" corporate-type user
traffic; you probably wouldn't see that much network-level traffic
either, if the corporate sysadmins have done the right thing, and
blocked most of that kind of traffic from propagating through the tunnels.

> This brings me to my third (and final) thought.  In reference to 
> detection, I highly doubt we will ever create a honeypot that is 
> impossible to detect.  Attackers that have the skills or tools, and
> are looking, will eventually fingerprint your honeypot.  The key to
> the game is to make the honeypot hard enough to detect, so when the
> bad guy does detect it, its too late for them.

See my earlier comment - surely *any* system can be a honeypot, if the
admin expects it to be attacked, and has a plan for analysing the attack
after the fact? Not all honeypots are running specialised honeypot
software, and not all honeypots have a fingerprint.

--
Jack.