Honeypots mailing list archives
Re: Minefields
From: H Carvey <keydet89 () yahoo com>
Date: 23 Jun 2004 11:48:06 -0000
In-Reply-To: <D623E4CC-C4C9-11D8-98F3-000A95B25656 () honeynet org> Lance,
First, I have noticed the point raised on how many 0-day exploits honeypots have captured, the number is most likely limited.
Given your credibility with being involved with (to say the least) honeypots, I think this is an important statement. I think you've addressed my "Heisenberg" question fairly well. The original thread, while interesting, was full of far too many "whatifs" and tangential "arguments", many based on misconceptions.
I personally can create a honeypot that appears to be a TopSecret R&D server for the latest encryption, or build a online banking system, however how long will that perception last when its sitting off dsl.speakeasy.net?
WRT to building a honeypot...Cliff Stoll did it easily. But you're absolutely right, with regards to where it "sits". I think that it's also important to point out that while organizations *can* deploy honeypots, this doesn't mean that they *do*. The IT industry at large is still subject to market influences, meaning that we've still got IT depts that are understaffed, undertrained, and overtasked. Given this...who has time to run a honeypot? Honeypots need to be planned for, and set up and managed properly...otherwise, they provide a doorway into a network, similar to a misconfigured WAP, rather than protecting it.
Second, Valdis brings up a very interesting point here. But, I'm going to counter that his analogy can actualy help capture advanced threats. In mechanized warfare, minefiels in general are NOT used to stop an enemy, but channel that enemy into a killing zone (*lance dust's off old Tank manual*:).
I responded directly to Valdis using the term "channelize"...parts of those FMs are indellibly burned into my brain housing group. I'm dating myself here, but commanders could plan/map minefields, or call in FASCAM from the artillery to cover an area. Mechanized forces would be forced to alter their route of march, or at the very least be slowed enough to be picked off w/ TOWs and other ordnance. But I think the issue is more that in the digital realm, many analogies just don't work. ;-) Valdis mentioned minefields, and minefields aren't used to detect an attack, but rather the commander has advanced knowledge (by studying the terrain, etc) as is attempting to influence the route of his enemy's advance.
This brings me to my third (and final) thought. In reference to detection, I highly doubt we will ever create a honeypot that is impossible to detect. Attackers that have the skills or tools, and are looking, will eventually fingerprint your honeypot. The key to the game is to make the honeypot hard enough to detect, so when the bad guy does detect it, its too late for them.
Or perhaps attackers are relying on other, less technical means of identifying high value targets. Harlan
Current thread:
- Re: Minefields H Carvey (Jun 23)
- <Possible follow-ups>
- Re: Minefields Sylvain P . Leblanc (Jun 23)
- RE: Minefields David LeBlanc (Jun 27)