Re: Minefields

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <D623E4CC-C4C9-11D8-98F3-000A95B25656 () honeynet org>

Lance, 

> First, I have noticed the point raised on how many 0-day exploits 
> honeypots have captured, the number is most likely limited. 

Given your credibility with being involved with (to say the least) honeypots, I think this is an important statement.  
I think you've addressed my "Heisenberg" question fairly well.

The original thread, while interesting, was full of far too many "whatifs" and tangential "arguments", many based on 
misconceptions.

> I personally can create a 
> honeypot that appears to be a TopSecret R&D server for the latest 
> encryption, or build a online banking system, however how long will 
> that perception last when its sitting off dsl.speakeasy.net?

WRT to building a honeypot...Cliff Stoll did it easily.  But you're absolutely right, with regards to where it "sits".  

I think that it's also important to point out that while organizations *can* deploy honeypots, this doesn't mean that 
they *do*.  The IT industry at large is still subject to market influences, meaning that we've still got IT depts that 
are understaffed, undertrained, and overtasked.  Given this...who has time to run a honeypot?  Honeypots need to be 
planned for, and set up and managed properly...otherwise, they provide a doorway into a network, similar to a 
misconfigured WAP, rather than protecting it.

> Second, Valdis brings up a very interesting point here.  But, I'm going 
> to counter that his analogy can actualy help capture advanced threats.  
> In mechanized warfare, minefiels in general are NOT used to stop an 
> enemy, but channel that enemy into a killing zone (*lance dust's off 
> old Tank manual*:).  

I responded directly to Valdis using the term "channelize"...parts of those FMs are indellibly burned into my brain 
housing group.  I'm dating myself here, but commanders could plan/map minefields, or call in FASCAM from the artillery 
to cover an area.  Mechanized forces would be forced to alter their route of march, or at the very least be slowed 
enough to be picked off w/ TOWs and other ordnance.

But I think the issue is more that in the digital realm, many analogies just don't work.  ;-)  Valdis mentioned 
minefields, and minefields aren't used to detect an attack, but rather the commander has advanced knowledge (by 
studying the terrain, etc) as is attempting to influence the route of his enemy's advance.

> This brings me to my third (and final) thought.  In reference to 
> detection, I highly doubt we will ever create a honeypot that is 
> impossible to detect.  Attackers that have the skills or tools, and are 
> looking, will eventually fingerprint your honeypot.  The key to the 
> game is to make the honeypot hard enough to detect, so when the bad guy 
> does detect it, its too late for them.

Or perhaps attackers are relying on other, less technical means of identifying high value targets.

Harlan