Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, March 08, 2007

A New Spin on Honeynets

Darknets, honeynets: When do you use one or the other?  A darknet, allocated but unused IP address space that ISPs and large enterprises have in reserve, is increasingly becoming a useful tool for catching attacks early.  “With a darknet, you listen for attack and connection attempts,” says Adam O’Donnell, senior research scientist with Cloudmark Inc. “There are lower maintenance requirements [than with a honeyet] because you don’t have to maintain a real piece of server hardware or virtual hardware.”  “Darknets are there to collect large network captures.  They can deduce DDOS, DOS, and botnet threats a lot faster and more completely because a honeynet in theory is just one POP [point of presence],” says Ralph Logan, partner with the Logan Group and vice president of The Honeynet Project.

Low-interaction honeypots find the what, when, and how of an attack: “They are there to capture automated attacks and malware,” and don’t really interact with the attacker, he says.

High-interaction honeynets let the attacker exploit and interact with the machines more actively, thus capturing more details about the attack and attacker.

Not only do they incur overhead for IT—you need staff to manage them and their flow of information—but they are also limited to known vulnerabilities, for instance.  “Honeynets are great collecting tools, but unfortunately the majority of the time they don’t provide information on a vulnerability that was not already public.  Arbor, like other organizations that dabble in this type of attack analysis, uses a combination of darknets and honeynets to track malicious traffic for its ISP customers in its Atlas service.

“No one knows it’s a honeypot—it looks like an enterprise server.”  That’s especially useful when attackers are targeting a specific organization’s IP addresses, he says.  If they try to log onto a honeypot, they are doing something outside your corporate policy.”  And the insider threat may be the sweet spot for honeynets in the enterprise, where the practice has not had much widespread use due to the overhead associated with the all the data they gather, as well as worries about asking for trouble by putting one up.

He says the Big Brother argument doesn’t fly here: “Corporations are well within their rights to deploy honeynets to secure their own networks and identify anyone doing things outside the corporate policy.”

Posted on 03/08