February 25, 2005

Honeypots and The Cybernetic Sting

by roy

Honeypots can be described as entrapment or “sting” methods to snare the would-be attackers of your network. (Remember the movie in which Newman and Redford ensnared the rival gangster?) Honeypots are servers or workstations that are deliberately exposed to attackers and just waiting for the attackers to expose themselves. The attacker thinks that he is entering a defenseless file server, for example, and then proceeds to install his Trojan horse, back door and maybe a zombie bot, all without realizing that he is being observed by a clever network security specialist.

The attacker may even leave tell-tale files that let the network security specialist know IP address, the country he operates from, and possibly his name.

“I do not use honeypots to capture the bad guy,” says security expert Lance Spitzner. “I want to learn how they work without them knowing they are being watched.”

Building a honeypot can be quite easy. Just build a standard workstation, which can even be an old 486DX with Windows 95. Include a network card, configure an IP address and then add a few apps like Word or Excel to make it look legit. Then wait for a few days. It shouldn’t take long before some would-be hacker is pinging into your workstation and maybe adding some files of his own or deleting some of your files.

On the other hand, you might not want to make the honeypot too simple, lest the attacker become suspicious. Just give him or her enough slack to really get established in the root directory. (You might want to make one that more or less mirrors an actual server on your network, so the attacker thinks he’s into something important.)

Where to place the honeypot? If you’re expecting a highly-skilled attacker, you might place it behind a separate firewall on its own network. This way you can monitor or control any traffic that enters or leaves the honeypot. Also, if it has its own firewall, you can keep the atacker from proceeding to other parts of your network.

After the honeypot has been compromised, the security expert must be able to track the compromiser’s moves without him knowing it. One method is not to log the information on the honeypot itself, but on a separate machine.

Some advanced attackers are able to see that the logfile is in fact on another machine.You also might consider using a protocol oher than IP to connect the honeypot. Novell’s IPX protocol is a good choice, since many attackers might not be familiar with it.

Finally you can set up a sniffer to track keystrokes, screen captures and other traffic in the honeypot.

After the attacker has been on your system for a few days, and you feel you have learned all you need to know about him, then shut down the honeypot. Since you don’t want the attacker to get suspicious, send out a message that the network is going down for routine maintenance. (Of course, the honeypot is the only machine on the “network”.) If the attacker realizes he is being watched, then he will leave and you will have wasted all that time and effort. If your honeypot is on a real network, the attacker could even do harm to it.

Questions? Discuss this in our Internet Business forums for help and advice

Story link: Honeypots and The Cybernetic Sting

Add to Bookmarks: