Ã,Â
Detection systems identify and alert on unauthorised activity, and are a critical element of security.
Detection is critical for two reasons. First, if you can detect an event before it happens, you can prevent damage from occurring. For example, if you detect an employee looking at company files they shouldn't be, it may be possible to stop them before they can do any damage. Second, if a compromise does occur, the sooner you detect and respond to the compromise, the better you can minimise the damage. For example, if an attacker breaks into a company's mail-server, the damage that is done depends on how soon the attack is detected.
If it takes weeks or even months for a compromise to be detected, an attacker will have had unlimited access to the target company's communications for an extended period of time, which could be devastating.
If the attack was immediately detected, the attacker could be removed from the system, and the mail-server rebuilt in a more secure manner. Early and successful detection can prevent or mitigate the compromise of data and resources.
The next challenge becomes: How do you successfully detect a compromise? The most common method has been Network Intrusion Detection Systems, otherwise known as NIDS. This technology works by monitoring network traffic. When it identifies anything it considers an attack, it generates an alert, notifying the administration. The trick is defining and identifying what an attack is. Different NIDS use different technologies, such as signatures, rules based, or anomaly detection. Each technology has its own advantages and disadvantages, but they all share some common problems.
- Data Overload: These solutions tend to generate an extremely large volume of alerts. This volume makes it time consuming, resource intensive, and costly to analyse and review all the alerts the NIDS generate. For example, I know of organisations with over 100,000 alerts a day.
- False Positives: Many of these alerts are false alerts. The NIDS thought it saw an attack, but was wrong. You can quickly have a situation where the 'little boy cried wolf'. If your technologies are repeatedly generating false positives, administrators begin to ignore the technology.
- False Negatives: It can difficult for some NIDS technologies to discover or identify unknown attacks or behaviour. This leaves organisations vulnerable to new attacks.
- Resources: NIDS require resource intensive hardware to keep up with organisation's activity and traffic. The faster your network and the more data you have, the bigger your NIDS will have to be to keep up.
- Encryption: More and more organisations are moving to encryption, all of the data is encrypted. This is due to security issues, regulation, and encryption technologies are more widely available (SSH, SSL, IPSec). However, these same technologies blind the NIDS so they can no longer monitor the network traffic.
There is a new technology that can address many of these issues in detection: honeypots. Honeypots are a relatively new security technology and are unique for two reasons. First, they work by having the bad guy actually interact with them. Second, honeypots are not a solution; they do not fix a specific problem. Instead, they are a highly flexible tool with multiple applications for security, from preventing attacks, to detecting unauthorised activity, to gathering intelligence on black-hat (bad-guy) hackers. One of the best applications of honeypots is detection because they address many of the problems associated with traditional detection.
The concept of honeypots is simple. They are a resource that has no authorised activity and no production value. This means that any interaction with a honeypot is most likely malicious or unauthorised. Any connections sent to the honeypot are most likely a probe, scan or attack. Honeypots can work in many different ways and come in many shapes and sizes. They can be a simple program that emulates different services, detecting any connections to it, such as Specter. A more advanced honeypot, such as Honeyd, can monitor all of your unused IP space with attackers interacting with virtual honeypots.
Honeypots can also be as advanced as entire networks of real systems waiting to be compromised, such as Honeynets (groups of networked honeypots) or ManTrap. Which honeypot is best for you depends on what you want to achieve. For detection, simple honeypots that emulate systems and services, such as Specter and Honeyd, are the best for detection.
These simple honeypots can have tremendous advantages for detection. While honeypots should never replace NIDS, their advantages make them a powerful tool to address the problems of NIDS. Advantages of honeypots include:
- Small Data Sets: Honeypots only collect data when someone or something is interacting with them. Organisations that may log thousands of alerts a day may only log a hundred alerts with honeypots. This makes the data honeypots collect much easier to manage and analyse.
- Reduced False Positives: Honeypots dramatically reduce false positives. Any activity with honeypots is by definition unauthorised, making it extremely effective at detecting attacks.
- Catching False Negatives: Honeypots can easily identify and capture new attacks against them. Any activity with the honeypot is an anomaly, making new or unseen attacks easily stand out.
- Minimal Resources: Honeypots require minimal resources, even on the largest of networks. A simple Pentium computer can monitor literally millions of IP addresses.
- Encryption: It does not matter if an attack is encrypted, the honeypot will capture the activity.
It is because of these advantages that honeypots make a simple and cost effective technology for detection, so while they do not replace any existing solutions, they can definitely help organisations with detection.
Lance Spitzner is the founder of the Honeynet Project, a research organisation dedicated to the study of the tools, tactics and motivations of black-hat hackers. He is the moderator of the honeypot mailing list, author of Honeypots: Tracking Hackers, co-author of Know Your Enemy and author of several whitepapers. He has spoken at the SANS Institute, Blackhat, the Pentagon, the United States National Security Agency (NSA), the CIA, the FBI Academy, the US military's Joint Task Force-Computer Network Operations, the US President's Advisory Board, the Army War College, the US Department of Justice, and the West Point and Navy War College. He is a Senior Security Architect for Sun Microsystems.
From your article ( http://www.zdnet.com.au/newstech/security/story/0,2000024985,20273490,00.htm ) about honeypots, I thought you would like to know that the honeyd project ( http://www.citi.umich.edu/u/provos/honeyd/ ) is not currently distributing it's web pages anymore due to it's concerns about recent changes to US law.
Due to the increasingly hostile nature of the US Govt. and it's ability to twist any subject into a threat against US securtiy, I can't blame them for being intimidated. In fact, if you view honeypots as a 'sting' operation, which govt and police agencies are so fond of, then I think they would be very happy to promote such activity. I suppose, however, that it might end up catching too many (un)authorized govt snooping, which I suppose would just be dreadful (note immense sarcasm).