A sweet solution: honeypots distract hackers from valuable networks. (Internet).All war is deception, said Sun Tzu Sun Tzu (s  n dz), fl. c.500–320. B.C. . And, indeed, for thousands of years, military leaders have deceived their opponents in order to win battles. The same techniques used in traditional warfare can also be applied to defend networked assets from today's savvy attackers. Thanks to the Internet, attackers now have a common, automated knowledge base that they can leverage to wage a new kind of war on the enterprise. For example, attackers can use the Internet to calmly research new vulnerabilities. Or, by downloading an automated exploit, a novice attacker can appear to have the skills of an expert: Even information about circumventing firewalls and intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. (IDS) can be found with the click of a button. In addition, automation means that attackers can effectively spend months looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. holes in defenses without any interaction that might otherwise gain attention. And finally, the interconnected nature of the Internet means attackers from all over the world can strike any system they choose. An attack need only succeed once. Security professionals, however, must defend against all current and future attacks and attackers. They must find and fix all vulnerabilities before an attacker acts- without affecting any operational network services. And they must immediately detect and respond to any suspected compromise. Even a false alarm consumes large amounts of time. What's more, responding to a successful attack is nearly impossible without first determining what the attacker was after and how deeply he penetrated the network. Finding this information after the fact is a long and error-prone effort, especially considering that the average corporate security professional is already multitasked with daily system administration, end-user problem resolution and the installation of myriad security applications that do not provide interoperability The capability of two or more hardware devices or two or more software routines to work harmoniously together. For example, in an Ethernet network, display adapters, hubs, switches and routers from different vendors must conform to the Ethernet standard and interoperate with each other. . All in all, these discrepancies give the attacker a serious advantage. Traditional security techniques attempt to block attacks (firewalls) or detect them as they happen (IDS). Both of these techniques are critical, but they have their limits (see Figure 1). Given enough time and information, an attacker can learn to circumvent cir·cum·vent tr.v. cir·cum·vent·ed, cir·cum·vent·ing, cir·cum·vents 1. To surround (an enemy, for example); enclose or entrap. 2. To go around; bypass: circumvented the city. a firewall. Once circumvented, the firewall offers no further protection. An IDS will only provide information once an attack has begun. Often this does not leave enough time to adequately secure all vulnerable systems. In addition, an IDS cannot determine if a new attack succeeded or if it would succeed against other systems. Using only firewalls and IDS is analogous to a medieval city defending against the barbarian hordes Hordes may refer to:
A successful countermeasure coun·ter·meas·ure n. A measure or action taken to counter or offset another one. countermeasure Noun action taken to counteract some other action Noun 1. would substantially delay the attacker while giving the defender enough information about his enemy to prevent the attack from causing damage. Successful use of deception accomplishes these goals. By deceiving the attacker, the defender feeds him false information and forces him to waste time in fruitless fruit·less adj. 1. Producing no fruit. 2. Unproductive of success: a fruitless search. See Synonyms at futile. assaults, thereby blunting future attacks. In addition, a good deception will give the defender information about the attacker's means and motives without the large cost of a successful exploit. This information can then be used to enhance existing security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security , such as firewall rules and IDS configurations. The Evolution of Network Deception The first deployments of network deception, known as "honeypots," are not a new idea. Researchers and security professionals have been using different forms of honeypots since computers were first interconnected. Much like an actual pot of honey used to attract and trap insects, a technological honeypot A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as can be deployed to present an attractive target to an attacker. Using a honeypot has numerous advantages. First, it wastes the attacker's time. Depending on the depth of the deception, an attacker can spend large amounts of time attempting to exploit and then exploring the honeypot--and any time spent attacking a honeypot is time not spent attacking a real machine. Second, it gives the attacker a false impression of the existing security measures. He or she may spend time finding tools to exploit the honeypot that may not work on a real system. And third, the existence of a honeypot decreases the likelihood that a random attack or probe will hit a real machine. Many attackers scan large blocks of computers looking for victims. Even attackers targeting a specific organization will scan the publicly accessible machines owned by the organization looking for a machine to compromise as a starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the . Using honeypots decreases the chance an attacker will choose a valuable machine as a target, and they will detect and record the initial scan as well as any subsequent attack. Unlike other intrusion detection See IDS and IPS. measures, there are no false positives with a honeypot. IDS products produce false positives to varying degrees. This is because there is always a chance that valid traffic will match the characteristics the IDS uses to detect attacks. This is not the case with a honeypot. Any communication with a honeypot is suspect simply because the device is not used for any purpose other than detecting attacks. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , there is no valid traffic to produce false positives. In this way, a honeypot can detect more attacks than any other IDS solution. New vulnerabilities can be found and analyzed an·a·lyze tr.v. an·a·lyzed, an·a·lyz·ing, an·a·lyz·es 1. To examine methodically by separating into parts and studying their interrelations. 2. Chemistry To make a chemical analysis of. 3. because all actions an attacker takes are recorded. Since all communication with a honeypot is suspect, new attack tools can be detected based on their interaction-even so-called "layer eight" attacks, or attacks against the information flow rather than the programs or protocols. These can include feeding false information into a service or database, or using compromised credentials CREDENTIALS, international law. The instruments which authorize and establish a public minister in his character with the state or prince to whom they are addressed. If the state or prince receive the minister, he can be received only in the quality attributed to him in his credentials. to gain unauthorized access. Finally, a honeypot can detect and record incidents that may last for months. These so-called "slow scans" are difficult to detect using an IDS as the time involved makes them appear to be normal traffic. Classification of Honeypots Honeypots can be classified into three primary categories: sacrificial lambs A sacrificial lamb is a lamb (or metaphorical parallel) killed or discounted in some way (as in a sacrifice) in order to further some other cause. In typical modern usage, it is a metaphorical reference for a person who has no chance of surviving the challenge ahead, but is placed , facades, and instrumented systems. The first honeypots to ever be developed, sacrificial lambs are simply computers designed with the sole purpose of being attacked. A sacrificial lamb usually consists of an off-the-shelf system placed in a vulnerable location and left as a victim. It provides an excellent target for attackers--but, unfortunately, extracting attack data about an attack has proven to be time-consuming, and the sacrificial lamb itself can be used by an attacker to attack other machines. The next advance in honeypot technology removes the security threat posed by a compromised honeypot by only emulating network services instead of allowing the real machine to be attacked. These facades generally have the vulnerabilities of sacrificial lambs, but they do not provide such a rich set of data. Facades provide easier access to the recorded attack data and therefore make it more difficult for attackers to avoid detection. A facade is the most lightweight form of a honeypot and usually consists of some type of simulation of an application or service in order to provide the illusion of a victim system. The newer instrumented systems build on the strengths of both sacrificial lambs and facades. Like the sacrificial lambs, they provide a highly believable be·liev·a·ble adj. Capable of eliciting belief or trust. See Synonyms at plausible. be·liev  a·bil system for attackers to compromise, and, like facades, they are easily accessible and difficult to evade e·vade v. e·vad·ed, e·vad·ing, e·vades v.tr. 1. To escape or avoid by cleverness or deceit: evade arrest. 2. a. due to their logging of attack information. Furthermore, an advanced instrumented system provides a means to prevent the attacker from using the system as a base for further attacks. An instrumented system honeypot is a stock system with additional modification to provide more information, containment, or control. The technology used in sacrificial lambs and network facades is somewhat restrictive and can be a limiting factor A factor or condition that, either temporarily or permanently, impedes mission accomplishment. Illustrative examples are transportation network deficiencies, lack of in-place facilities, malpositioned forces or materiel, extreme climatic conditions, distance, transit or overflight rights, for detection, while an instrumented system addresses many of the issues faced by both of these tools to provide an integrated intrusion detection solution. While many honeypot implementations may function well in single deployments with dedicated administrative efforts, larger deployments (a.k.a. "enterprise deployments") require additional functionality to be effective solutions. An organization that wishes to deploy honeypots should have an overall computer security policy that states what the threats are, what the main goals for an attacker might be, where the high-value systems are, and how potential targets will be protected. In essence, the security policy should dictate what the strategy of honeypot deployment will be. The following sections describe a few different deployment strategies. These strategies, or combinations of them, can be used together with firewalls and IDS to form a cohesive cohesive, n the capability to cohere or stick together to form a mass. security infrastructure to protect an organization. Minefield Deployment In a minefield deployment, honeypots are installed among live servers, possibly mirroring some of the real server data. The honeypots are placed among external servers in the DMZ (DeMilitarized Zone) A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet. Also called a "perimeter network," the DMZ is a subnetwork (subnet) that may sit between firewalls or off one leg of a to capture attacks against the public servers and/or in the internal network, or internal attacks (which either originated from an internal or an external source, through penetration of the firewall and the use of internal machines as launching pads to attack other systems). Attacks are rarely restricted to a single machine. Many manual and automated network attacks follow the same pattern: Assuming a successful attack has taken place on one machine in the network, that machine is then used to scan the network for other potential targets, which are subsequently attacked. For manual attacks, this takes some time, whereas worms will normally execute the. scan just seconds after the first infection. Stealth stealth Any military technology intended to make vehicles or missiles nearly invisible to enemy radar or other electronic detection. Research in antidetection technology began soon after radar was invented. scanning can be performed in a manner that specifically avoids setting off IDS (e.g., through "slow scans"), but honeypots in a minefield will be alerted. For example, if a network has one honeypot forevery four servers, then the chances of hitting a honeypot with a random, single-point attack is, theoretically, 20%. In reality, however, the chances are significantly better than that because, in most cases, an entire block of network addresses will be scanned. When this happens, it is practically assured that the honeypot will detect the intrusion shortly after any machine on the network has been compromised. Even though the intrusion detection aspect alone is important, another feature of using honeypots is to see what the attack tools are and what the purpose of the attack is. With good security practices on the production machines (e.g., good password policies A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. , no plain text passwords over the network, machines running the latest vendor patches, etc.), slightly decreasing the security on the honeypots themselves may increase the chance that they will be some of the first machines that are attacked. A well-designed honeypot will then have the information about the services attacked, how that service was attacked, and--if the attack was successful--what the intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. did once inside. Having the honeypots configured con·fig·ure tr.v. con·fig·ured, con·fig·ur·ing, con·fig·ures To design, arrange, set up, or shape with a view to specific applications or uses: exactly the same way as the regular servers, however, has other advantages. It increases their deception value slightly, and it also means that when a honeypot has detected a successful attack, that attack is likely to succeed also on the production hosts. Shield Deployment In a shield deployment, each honeypot is paired with a server it is protecting (see Figure 2). While regular traffic to and from the server is. not affected, any suspicious traffic destined des·tine tr.v. des·tined, des·tin·ing, des·tines 1. To determine beforehand; preordain: a foolish scheme destined to fail; a film destined to become a classic. 2. for the server is instead handled by the honeypot shield. This strategy requires that a firewall/router filters the network traffic based on destination port numbers, and redirects the traffic according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the shielding policy. For instance, consider a Web server deployed behind a firewall. Web server traffic will be directed to the Web server IP address on TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. port 80. Any other traffic to the Web server is considered suspicious and can be directed towards a' honeypot. The honeypot should be deployed in a DMZ, and to maximize the deception value, it may replicate rep·li·cate v. 1. To duplicate, copy, reproduce, or repeat. 2. To reproduce or make an exact copy or copies of genetic material, a cell, or an organism. n. A repetition of an experiment or a procedure. some or all of the non-confidential content of the server it is shielding. In the example of the Web server, this is merely a matter of mirroring some or all of the Web content to the honeypot. In conjunction with the firewall or router, honeypots deployed in this fashion provide actual intrusion prevention See IPS and IDS. , in addition to intrusion detection. Not only can potential attacks be detected, but they can also be prevented by having the honeypot respond in place of the actual target of the attack. Take note that a honeypot shield cannot protect a mail server from SMTP (Simple Mail Transfer Protocol) The standard e-mail protocol on the Internet and part of the TCP/IP protocol suite, as defined by IETF RFC 2821. SMTP defines the message format and the message transfer agent (MTA), which stores and forwards the mail. exploits, nor a Web server from HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. exploits, since normal traffic must be able to reach its target. However, because live servers generally need very few open ports, it is reasonably easy to find the point of an attack--both for prevention and forensic purposes--and all other ports lead straight to the honeypot, where the attack can be analyzed in detail. A shield deployment is an example of how honeypots can protect a high-value system where attacks can be expected. Honeynet Deployment In a honeynet deployment, a network of honeypots imitates an actual or fictitious Based upon a fabrication or pretense. A fictitious name is an assumed name that differs from an individual's actual name. A fictitious action is a lawsuit brought not for the adjudication of an actual controversy between the parties but merely for the purpose of network. From an attacker's point of view, the honeynet appears to have both servers and desktop machines running many different types of applications on several different platforms. Another term for this deployment is a "zoo," as it displays a variety of honeypot species. A honeynet is an extension of the honeypot concept in 'that it takes multiple deception hosts (single honeypots), and turns them into an entire deception network. A typical honeynet may consist of a mix of facades (because they are lightweight and reasonably easy to deploy), some instrumented systems for deep deception, and possibly some sacrificial sac·ri·fi·cial adj. Of, relating to, or concerned with a sacrifice: a sacrificial offering. sac , lambs. In order to provide a reasonably realistic network environment, some sort of content generation is necessary. On a host basis, this involves 'simulating activity on each deep honeypot, as well as generating network traffic to and from' the clients and servers, so that the network itself looks realistic from the outside. As an example, a DMZ that contains a Web server and a mail server could deploy two honeypots that act as shields to the servers. Any traffic to the Web server that is not HTTP traffic will be directed to the Web server's shield. Any traffic to the mail server that is not SMTP will be directed to the mail server's shield. By adding a few more honeypots, another dimension can be added to this deception; all traffic to unknown IP addresses can be directed to honeypots, instead of simply traffic to known hosts. The strength of the honeynet shield is that it shields an entire network instead of a single host. Similarly, honeynet minefields represent the scenario where each mine is an entire network, as opposed to just a single honeypot. Honeynets can be useful in a large enterprise environment and offer a good early warning system for :attacks. A honeynet may also provide an excellent way to figure out an intruder's intention, by looking at what kind of machines and services are attacked, and what is done to them. The Honeynet Project The Honeynet Project, led by Lance Spitzner, is a project to develop and analyze computer honeynet and honeypot data, and to further research into how malicious hackers act. The project itself is a 501(c)(3) non-profit organization. (http://project.honeynet.org) is an excellent example of a honeynet used as are search tool to gather information about attacks on computer infrastructure. Deception devices represent important, emerging security technology. Deception provides the defender with both the time and information needed to effectively respond to a wide variety of threats. Commercialy available solutions have evolved the honeypot concept of intrusion detection to a third generation and provide a very effective security application unlike the first-generation technology concepts. Combining early detection, advanced reporting and analysis, and an easy-to-deploy security solution provides a cost-effective defense mechanism powerful enough to prevent internal, and external intrusions--and one that should be a component of any successful security solution. www.recourse.com [FIGURE 2 OMITTED] Brian Hernacki is chief scientist at Recourse Technologies (Redwood City Redwood City, city (1990 pop. 66,072), seat of San Mateo co., W Calif., on San Francisco Bay; inc. 1868. Manufactures include commmunications, electrical, electronic, and medical equipment. , Calif). |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion