Re: Minefields

[Sylvain P.Leblanc <Sylvain.Leblanc () rmc ca>]

In-Reply-To: <20040623114806.21270.qmail () www securityfocus com>


> I responded directly to Valdis using the term "channelize"...parts of those FMs are indellibly burned into my brain 
> housing group.  I'm dating myself here, but commanders could plan/map minefields, or call in FASCAM from the artillery 
> to cover an area.  Mechanized forces would be forced to alter their route of march, or at the very least be slowed 
> enough to be picked off w/ TOWs and other ordnance.
>
> But I think the issue is more that in the digital realm, many analogies just don't work.  ;-)  Valdis mentioned 
> minefields, and minefields aren't used to detect an attack, but rather the commander has advanced knowledge (by 
> studying the terrain, etc) as is attempting to influence the route of his enemy's advance.
I like the minefield analogy, but then again I'm a Signals officer so
you should expect as much. I absolutely agree that you have to study
the situation (terrain [read network topology], adversary's intent, and
your own lucrative assets) to decide where the minefield will be of
value; but you also have to decide what you will do with it. We use
minefields (or any other obstacles) for a combination of four purposes:
<i>Block, Turn, Fix, or Disrupt</i>. <br>
<br>
You <b>Block</b> when you can completely stop the adversary along an
avenue of approach, and she/he has nowhere to go. This is extremely
resource intensive, and I cannot see how one could accomplish this at
the network level.
The <b>Turn</b> effect is the channelization described by Harlan, and
I definitely see this analogy applicable to honeypots.
The last two effects also give the analogy value in the honeypot
context. <b>Fixing</b> the adversary means slowing her down while you
carry out a valuable action, be it passively (like observing and
learning about her tools, techniques and intentions) or actively (such
as taking the fight to the adversary with more aggressive measures).
Finally to <b>Disrupt</b> is to slow the adversary down (possible by
making her waste her time with low interaction production honeypots). <br>
<br>
> > This brings me to my third (and final) thought.  In reference to 
> > detection, I highly doubt we will ever create a honeypot that is 
> > impossible to detect.  Attackers that have the skills or tools, and are 
> > looking, will eventually fingerprint your honeypot.  The key to the 
> > game is to make the honeypot hard enough to detect, so when the bad guy 
> > does detect it, its too late for them.
>
> Or perhaps attackers are relying on other, less technical means of identifying high value targets.
Whatever the effect you want to accomplish with an obstacle, it is
doomed to failure unless the obstacle is covered by observation [and
fire]. By the time the obstacle is detected, the good guys already have
the information they need. That's if for now troops!
<br>
Sly