Re: Managing Deception

[ChayoteMu <chayotemu () gmail com>]

I'm building a small "wish-list" network plan for myself to use as a
testbed and had a similar idea. The way I was thinking of doing this
would be to either have an inline machine between your honeynet and
the pipe to the Internet, lock that box down and make it transparent
to both sides. Then internally use that to block attack traffic going
from the honeynet by either diverting it back to a random honeynet
host or by simulating a response of some sort. What you could do is
either use this idea or just get an invisible server that can only
send data to the honeynet. This box searches and generates false
information, possibly from a shared source, and automates e-mails and
such and then sends the info into the honeynet where the various
machines pick up the info and daemons pick up the data and integrate
it. With a bit of planning there could be a semi-shared server out
that for such machines to connect to that could harvest and generate
such data or volunteers could create the information by hand. It would
definitely require review of all content, especially the human made
content, but could be worth the effort. I don't know of anything that
does this already, but would also be interested if someone else does.

On 7/5/05, seamus blarnum <crpyt0k1d () yahoo com> wrote:
> Greetings,
>
> I have some questions for the sticky-crew here. I'm
> working on a paper on honeynet development for a
> small-mid sized corporation. The issue I keep coming
> into is the management of a grouping of dummy systems.
> Does anyone know of a good commercial product that can
> simulate user behavior and crawl websites, build or
> import network documents from a central server to
> simulate network transfers?
>
> I was also wondering if there is a product that could
> simulate random content emails, by scanning popular
> "sites of interest" and use site headlines in emails
> "the packers just won", or "kevin mitnick released a
> trance album". Just simple stuff that would seam
> innocuous from a remote listener. Potentially even
> having a central file server that simulates network
> traffic by scanning through documents prepared by the
> deployment team that contains specific information to
> be relayed through the network?
>
> I know it seems like a lot, but I'm sitting here
> putting this into a moldable mental form.
>
> Content is important if these things are going to
> really be sticky. The low skill of newbs helps them
> not understand what to seek, but skilled infiltrators
> are looking for something specific (accounting
> information, intellectual property, etc). These are
> the folks we want to get stuck and sit around long
> enough for us to  identify why they're on the box in
> the first place.
>
>
> Thoughts from the group? Thanks for any pointers,
> solid comments, or responses.
>
>
> Seamus
>
>
>
>
>
> ____________________________________________________
> Sell on Yahoo! Auctions – no fees. Bid on great items.
> http://auctions.yahoo.com/


-- 
ChayoteMu

"To catch a thief, think like a thief. To catch a master thief, be a
master thief."