RE: Minefields

["David LeBlanc" <dleblanc () exchange microsoft com>]

H Carvey said: 

> I think that it's also important to point out that while organizations
*can* deploy honeypots, this doesn't mean that they *do*.  The IT
industry at large is still subject to market influences, meaning that
we've still got IT depts that are understaffed, undertrained, and
overtasked.  Given this...who has time to run a honeypot?  Honeypots
need to be planned for, and set up and managed properly...otherwise,
they provide a doorway into a network, similar to a misconfigured WAP,
rather than protecting it.

This is quite true, and a large company also has the problem that if the
honeypot becomes an attack launching pad, then the legal issues are
potentially severe.

Lance said:
> This brings me to my third (and final) thought.  In reference to
> detection, I highly doubt we will ever create a honeypot that is
> impossible to detect.  Attackers that have the skills or tools, and are
> looking, will eventually fingerprint your honeypot.  The key to the
> game is to make the honeypot hard enough to detect, so when the bad guy
> does detect it, its too late for them.

I have a couple of ideas here - first, a virtual machine host system may
well be able to monitor a hosted system without being very detectable.
This should be explored.

Second, we should better develop our ability to use operational networks
to learn the same types of thing. It gets around a number of problems.
We have found some interesting things out from how people attack us. So
think along the lines of a real honeypot being the race car used to find
things that could be leveraged in production systems to better protect
and defend those systems, as well as gathering information about the
attackers. The problem with us is noise in the data - I've watched
people scan our external network looking for Solaris bugs 8-/ how smart
is that???

> Or perhaps attackers are relying on other, less technical means of
identifying high value targets.

Yeah, like looking through registrars for IP ranges belonging to a large
company...

One concept we've been thinking through is that of attacker personas. A
script kiddie looking to increase their botnet is an easy target for a
honeypot. A worm is still easier to identify, alert on and track. An
attacker who is going after a specific target is going to be hard to
catch in a honeypot, and a highly skilled attacker going after a
specific target is harder still to catch, unless the ops people they
have taken on are also highly skilled.