Honeypots: Silent but Effective

17 10 2011

by Francisco Robles

Everyday we see in the news companies have had their systems compromised, with different consequences in each case. But that is for the most famous cases. People who are in charge of the systems security within a company have to struggle everyday with attack attempts from both insiders and outsiders that want to break-in to get unauthorized access to a certain resource (computer, program, data, information, etc.).

Technology evolves at a very fast pace and so do the methods and tools used by attackers. The traditional approach has relied in IDS (Intrusion Detection System) with its limitations that are known (false positives, false negatives, data overload) along with Firewalls and other passive systems [1].

Because of that, a different approach has been coined: the honeypot. Some authors refer it as a specialized version of an IDS [2] where others, such as Lance Spitzner, defines as:

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

No matter what definition is used, the main purpose of a honeypot remains the same: to be able to detect and understand how an attacker wants to compromise this system.  “A honeypot is a resource, which pretends to be a real target. The main goals are the distraction of an attacker and the gain of information about an attack and the attacker” [4]. The honeypot is set to emulate a production system, so it can be attractive to an attacker. It is also a trap, because the attacker does not know that he/she is being monitored. This system is configured as an isolated party, where no legitimate system will have a communication with it, thus if any kind of communication is detected, there is a high probability that it is caused by an intruder. So the honeypot will remain silent until someone accesses it; then it will emit an alert.

There are two main uses of honeypots: production and research. The first one is focused to help mitigate risk whereas the second use is oriented to gather as much information as possible. [5]

According to Spitzner, the following are the advantages of a honeypot versus an IDS [3]:

–   Small data sets of high value. Instead of collecting all the traffic and then having to analyze huge amounts of data in order to detect abnormal activity, the honeypot only collects data when it interacts with someone. Thus the data collected is smaller but more valuable.

–   New tools and tactics. Honeypots are designed to be attractive to attackers, so they can detect new methods and tools unseen before. All of this without the necessity to update anything in the honeypot.

–   Minimal resources. They only capture bad traffic, so there is no need for fancy equipment.

–   Encryption or IPv6. It does not matter which technologies the attackers use, the honeypot will detect and capture it.

–   Information. Honeypots can collect in-depth information.

–   Simplicity. Honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update.

 

But no system is free of disadvantages and the honeypot it’s not exempt. A honeypot is only useful when an attacker interacts with it; then its field of sight is very narrow. Also there is a risk, as with any equipment, with the use of a honeypot. There is a probability that this system may be compromised by an attacker and used to attack other systems. This risk depends on which type of honeypot is used. Another risk is when the attacker discovers that he fell in a trap, so it may seek revenge with the help of other parties.

The two main types of a honeypot are low-involvement and high-involvement. The former only offers fake services, which can be configured, but the operating system is very controlled. This limits the impact in the event an attacker compromises this system. The later has a real operating system that will permit to gather further information about an attacker and its procedures as well as to disguise better the trap. But there is a greater risk with this approach, because the attacker may do more damage if he/she gets control of this computer [3].

Usually low-involvement honeypots are used in production systems whereas high-involvement honeypots are used for research. But this is not a written rule; both types of honeypots can be used for both purposes.

The effectiveness of a honeypot will be determined by many factors, some of them are:

–   Capacity to mimic a legitimate system. Whereas a honeypot is disguised as an authentic system used by the organization, it will be more attractive to the attacker to interfere with it. There are some products that are resistant to fingerprinting techniques.

–   Infrastructure around the honeypot. The use of IDS and firewalls along the honeypot will increase the capacity to learn more about an attacker. So the honeypot it is not a replacement for any other security system, but it is designed to coexist with such systems.

 

There are other approaches that use the main principles of honeypots. One is a honeynet, where a complete isolated network with clients and servers is setup. It is even loaded with vague data and programs that resemble to be authentic. Another is a honeytoken, which per se is not a computer but a digital entity (bogus Excel file, credentials, etc.) that no one should interact with it unless it is an unauthorized party. [6]

As a conclusion, honeypots represent a different approach to identify and combat attackers. Because it is always there and only acts when someone interacts with it, the data that gathers will be very useful, thus reducing the chance for false positives and false negatives.  But this advantage is risky because its field of view is very limited, that is why it was designed to coexist with other systems like IDS and not as replacement for them.

The idea to attract an attacker will help to either distract him of attacking real computers or to raise alerts immediately so other measures can be taken opportunely. Its simplicity is what it makes very attractive to security personnel, because does not rely on rules or signatures that become obsolete overtime.

Also the same concept can be applied to whole networks (honeynet) and even digital entities (honeytoken).

______________________

[1] “Honeypots: Simple, Cost-Effective Detection” by Lance Spitzner http://www.symantec.com/connect/articles/honeypots-simple-cost-effective-detection

[2] “Intrusion Detection FAQ: What is a honeypot?” by Loras R. Even http://www.sans.org/security-resources/idfaq/honeypot3.php

[3] “Definitions and Value of Honeypots” by Lance Spitzner http://www.tracking-hackers.com/papers/honeypots.html

[4] “Enhancing Network Intrusion Detection System with Honeypot” by Yeldi, S.; Gupta, S.; Ganacharya, T.; Doshi, S.; Bahirat, D.; Ingle, R.; Roychowdhary, A.;

TENCON 2003. Conference on Convergent Technologies for Asia-Pacific Region. IEEE.

[5] “Honeypot: a Supplemented Active Defense System for Network Security” by Feng Zhang; Shijie Zhou; Zhiguang Qin; Jinde Liu; Parallel and Distributed Computing, Applications and Technologies, 2003. PDCAT’2003. Proceedings of the Fourth International Conference on. IEEE.

[6] “Honeypots: Catching the Insider Threat” by Spitzner, L.;

Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE.

Advertisements