Re: Profiling threat in honeynet

[Valdis.Kletnieks () vt edu]

On Wed, 05 May 2004 17:48:59 +0800, dcneting <ansiry () tm net my>  said:
> What is the importance of profiling threats in a honeynet? Anybody can point
> something to me..? Im still searching..and still couldn't find any idea
> about it..

Well... I'm not clear on which sense you mean - are you profiling the threats
that you intend to catch, or profiling the threats of running a honeynet?

To take on the first issue:  You have to decide what your threat model is, in
order to build a honeypot to catch that threat.  If you're trying to catch the
worm-du-jour, you need something that acts like it *isn't* patched and is
wide-open vulnerable.  If you're hoping to catch anything other than a
automated worm or larval-stage script kiddie, you need to harden the honeypot
to reject all the background noise from the worms and newbies, so you don't
false-positive yourself into missing the attack you're looking for...

To take on the second issue: The answer will depend on the answer to the first
issue.  If you're simply trying to hoover in a worm sample, the worst that can
happen is it gets infected and starts trying to replicate, adding 0.000001% to
the number of boxes doing it.  On the other hand, if your catch-a-black-hat box
actually catches a black hat, you may have some serious containment issues... 

Also, the answer to both questions will also depend on things like your network
topology - is the honeypot on the open net, a DMZ, or internal net?  Meanwhile,
the answer to that depends on the answer to the first two issues.....

Attachment: _bin
Description: