A sweet solution: honeypots distract hackers from valuable networks - Internet

Computer Technology Review, August, 2002 by Brian Hernacki

All war is deception, said Sun Tzu. And, indeed, for thousands of years, military leaders have deceived their opponents in order to win battles. The same techniques used in traditional warfare can also be applied to defend networked assets from today's savvy attackers.

Thanks to the Internet, attackers now have a common, automated knowledge base that they can leverage to wage a new kind of war on the enterprise. For example, attackers can use the Internet to calmly research new vulnerabilities. Or, by downloading an automated exploit, a novice attacker can appear to have the skills of an expert: Even information about circumventing firewalls and intrusion detection systems (IDS) can be found with the click of a button. In addition, automation means that attackers can effectively spend months looking for holes in defenses without any interaction that might otherwise gain attention. And finally, the interconnected nature of the Internet means attackers from all over the world can strike any system they choose.

An attack need only succeed once. Security professionals, however, must defend against all current and future attacks and attackers. They must find and fix all vulnerabilities before an attacker acts- without affecting any operational network services. And they must immediately detect and respond to any suspected compromise. Even a false alarm consumes large amounts of time. What's more, responding to a successful attack is nearly impossible without first determining what the attacker was after and how deeply he penetrated the network. Finding this information after the fact is a long and error-prone effort, especially considering that the average corporate security professional is already multitasked with daily system administration, end-user problem resolution and the installation of myriad security applications that do not provide interoperability. All in all, these discrepancies give the attacker a serious advantage.

Traditional security techniques attempt to block attacks (firewalls) or detect them as they happen (IDS). Both of these techniques are critical, but they have their limits (see Figure 1). Given enough time and information, an attacker can learn to circumvent a firewall. Once circumvented, the firewall offers no further protection. An IDS will only provide information once an attack has begun. Often this does not leave enough time to adequately secure all vulnerable systems. In addition, an IDS cannot determine if a new attack succeeded or if it would succeed against other systems. Using only firewalls and IDS is analogous to a medieval city defending against the barbarian hordes with only high walls and unarmed sentries. Eventually, the city will fall.

A successful countermeasure would substantially delay the attacker while giving the defender enough information about his enemy to prevent the attack from causing damage. Successful use of deception accomplishes these goals. By deceiving the attacker, the defender feeds him false information and forces him to waste time in fruitless assaults, thereby blunting future attacks. In addition, a good deception will give the defender information about the attacker's means and motives without the large cost of a successful exploit. This information can then be used to enhance existing security measures, such as firewall rules and IDS configurations.

The Evolution of Network Deception

The first deployments of network deception, known as "honeypots," are not a new idea. Researchers and security professionals have been using different forms of honeypots since computers were first interconnected. Much like an actual pot of honey used to attract and trap insects, a technological honeypot can be deployed to present an attractive target to an attacker.

Using a honeypot has numerous advantages. First, it wastes the attacker's time. Depending on the depth of the deception, an attacker can spend large amounts of time attempting to exploit and then exploring the honeypot--and any time spent attacking a honeypot is time not spent attacking a real machine. Second, it gives the attacker a false impression of the existing security measures. He or she may spend time finding tools to exploit the honeypot that may not work on a real system. And third, the existence of a honeypot decreases the likelihood that a random attack or probe will hit a real machine.

Many attackers scan large blocks of computers looking for victims. Even attackers targeting a specific organization will scan the publicly accessible machines owned by the organization looking for a machine to compromise as a starting point. Using honeypots decreases the chance an attacker will choose a valuable machine as a target, and they will detect and record the initial scan as well as any subsequent attack.

Unlike other intrusion detection measures, there are no false positives with a honeypot. IDS products produce false positives to varying degrees. This is because there is always a chance that valid traffic will match the characteristics the IDS uses to detect attacks. This is not the case with a honeypot. Any communication with a honeypot is suspect simply because the device is not used for any purpose other than detecting attacks. In other words, there is no valid traffic to produce false positives.