When most people think about "Defense in Depth" on Internet-attached networks, they typically think of routers, firewalls, and Intrusion Detection Systems (IDSs). One other layer of defense in depth can be achieved through the uses of Honeypots to gain direct, observable knowledge of how Black Hat hackers operate.
What Is A Honeypot?
Based on the principle that to successfully defend yourself against the enemy, you must first know who the enemy is, a honeypot is a decoy Internet-attached server that is used to lure in Black Hat hackers and watch them as they exploit vulnerabilities with the goal of obtaining administrator or root access to the device. Learning how the Black Hats work -- and monitoring their activities -- helps you to implement better security on your systems and helps you to improve your ability to ward off attacks on protected systems.
Perhaps the most famous example of the use of honeypots is described in some detail in Clifford Stoll''s book, The Cuckoo''s Egg. In the book, Stoll sets up a trap on the University of California network, complete with bogus details about the Strategic Defense Initiative (SDI), to keep a hacker interested and connected long enough to trace him back to his source in Hanover, Germany.
Honeypots are designed to look like a system an intruder would like to hack and are installed on an Internet segment that limits their ability to wreak havoc in other parts of your network or on others. Honeypots can be installed inside, outside, or within the firewall DMZ. For control reasons, most honeypots are integrated inside the firewall.
Firewall policies for honeypot systems are virtually opposites of what a firewall is designed to do. Rather than being restrictive on what comes in via the Internet and less restrictive on what goes out, the firewall rules for a honeypot system should permit all traffic in from the Internet and block most outgoing traffic to the Internet to limit damage. The idea here is to attract the adversary while containing their abilities to use the honeypot as a stepping-stone to further attacks on other protected resources or on systems belonging to others on the Internet.
You''ll want to integrate your honeypot system into a subnetwork that won''t normally be accessed. By isolating the system, any traffic on that segment is automatically suspicious and should trip off the alarms. If you place a honeypot system with other servers on the same subnetwork, you run the risk of those systems getting compromised and you lose your ability to discern traffic from the good guy from traffic from the bad guy. Furthermore you can establish a layered approach to tripping off alarms as the layers of security are breached.
Creating a Honeypot
Honeypots can operate on any variety of computer systems -- often an unused PC will do. While most public domain software for setting up a honeypot is written for UNIX, many of these systems have already been ported to NT. The SANS Institute recommends BSD UNIX or RedHat Linux since more tools are available for these OSs. Additionally, you''ll need a sniffer package to keep tabs on traffic leading to the Honeypot segment.
Software
Several commercial software systems are available for building and operating a honeypot system, along with an even wider variety of shareware or public domain programs easily found on the Internet. Some of today''s commercial systems include:
Honeypot systems should be configured to look like a box that a Black Hat would like to exploit. You can achieve this by giving it an irresistible name, like intranet.companyname.com or mail.companyname.com. If there''s any telltale signs that your system is other than a legitimate host, the hacker will likely know that something is up and quickly leave -- defeating the purpose of installing one in the first place! The Goals For Honeypots
SANS Institute cites these two goals for setting up a honeypot:
- Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruder''s activities is kept, you can gain insight into attack methodologies to better protect your real production systems.
- Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute. More important, when you decide you''re going to build a honeypot you must first realize that you''re playing with fire and can easily get burned. Someone with skills far superior to your own is out there and poised to attack your system and it may only take them a few hours after it''s up to discover it! Keeping this in mind the entire way through is your best hedge against doing something reckless -- or even fatal.
Knowing Thine Enemy
Lance Spitzner, the clear authority on honeypot systems, documents their usefulness in a series of articles entitled Know Your Enemy as a part of the Honeypot Project . He describes how to track attackers through the system to gain sufficient information about how they operate. Ultimately, the objective is to boot them off the system once sufficient logging of activities is accomplished, wiping the system clean, patching the vulnerabilities that were exploited, and bringing the system back up for the next Black Hat. Spitzner uses layers of logging functions to prevent losing valuable information if the hacker erases it. Furthermore, he places the log files on a separate, protected server while making it appear as though logging is occurring locally. Again, the more deceptive the system is, the better! During what he describes as the Sting Phase of a compromise, he watches the Black Hat for a few days once root is compromised before booting him off. Doing this provides more information about the hacker''s activities or helps to gain additional forensics to prosecute him once he''s caught.
Sometimes, the goals of putting up a honeypot are purely academic in hopes of learning as much as possible and fixing as many exploits as possible to increase your security posture. Not all honeypots need be used for prosecution purposes, but be sure your goals are clear before you set out to build one, because evidence handling is no trivial matter.
Knowing Thyself
Honeypots may be useful as a crash course in hacking, and are currently being used by some of the commercial training programs, like the Ultimate Hacking: Hands On course by Foundstone .
Since you can establish a honeypot anywhere on your network, you might want to learn more about your insider threats. Because firewall rules and policies differ widely on an intranet vs. the Internet, you can place a honeypot on an isolated network segment that''s only accessible from the private network. You may find that you have far more rogue employees in your organization that you''d like to believe are there. In these cases, make certain you involve your information security personnel and your human resources department to determine the next steps once you catch an insider ne�er-do-well.
Finding skilled White Hat hackers is becoming increasingly difficult every day and a honeypot-type system can be a valuable training ground for recruits to your White Hat staff of professionals. You might consider setting up a honeypot with known sets of vulnerabilities and give your prospective employees sufficient time and access to try and find one or more exploits and take control of the system. There''s likely no better ''acid-test'' for weeding out these people who can''t provide you with sufficient confidence that they can ward off the real attackers.
Who''s Using Honeypots?
Winn Schwartau, an expert in computer security public policy towards hacking, sees no problem in common uses of honeypots, as he describes in a Network World Fusion series of articles called "Lying to hackers is okay by me". Most of the information about honeypots originates with the military and former military personnel, but there''s understandably little out there in the way of case studies on specific honeypot users. The point here is that to any casual observer a honeypot is just another box that''s subject to an attacker''s whim. Advertising the presence of the honeypot defeats the purpose so be very careful to whom you blab to about it!
The Risks
Obviously if your honeypot is successful then one thing is perfectly clear -- you''ve got hackers on your network and they''re poking their way through it. Now what? One of the foremost dangers you must guard against is that your honeypot will be used as a launching pad to further attacks on you or on others via the Internet. With proper firewall rules you should be able to limit this risk. Another risk that you''ll face is how to carefully balance the control over the hacker without limiting them too much to the point they discover they''re being watched. Here''s where the excitement builds -- playing cat-and-mouse with a skilled criminal. If you''re looking for a rush of adrenaline, here''s where you''ll find it! Again, Spitzner recommends allowing all Internet traffic inbound and only allowing FTP, ICMP, and DNS outbound to both avoid hacker suspicion and allow him his typical modus operandi.
Maintenance of the Honeypot
Like any other server, honeypots must also be maintained to assure that old holes are patched and that logging is working properly. Failure to maintain the system -- or worse forgetting that it''s there -- is akin to leaving a gaping hole in your network. This includes the need to maintain your incident response procedures as people come and go and pager numbers change.
Entrapment Or Good Security Practice?
Some people believe that setting up a honeypot is a form of entrapment and that evidence collected from it will be inadmissible in court. Others believe this is simply not the case because honeypots are not designed as active lures. The only time a hacker should stumble upon the honeypot is through scanning activities that he conducts on his own. If you''re careful with your forensics gathering and handling of the log information through a well-documented and well-practiced custody of control you should be able to use all the information for your own benefits.
It''s also important to remember that you can''t set-up a honeypot without the support of your organization and its management. You''ll need their support and commitment before you begin, otherwise you may find yourself the target of an orchestrated attack by hackers who are miffed that you''re trying to trap them. Should that occur, you don''t want to stand alone trying to fend off their attacks.
Conclusion
Honeypots can be an effective tool in your security arsenal, but like any other fatal weapon, they demand careful and skilled handling. Playing with fire is okay but only if you''re truly prepared for the worst of possible consequences!
