Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, August 23, 2006

Enterprises Still Not Sweet on Honeypots

While they’ve long been a darling of researchers and law enforcement, honeypots are still trying to prove their case for wider enterprise deployment.  And it remains a bit of a hard-sell.  These “lures” that pose as legitimate network nodes are heavy on attacker- and attack data.  But they don’t do anything to actually stop an attack, plus they can attract unwanted attention to your network.  But some security experts say elements of honeypot technology can be used as an extra layer in the enterprise security arsenal, especially for protecting against insider threats or other malicious internal activity.  “Right now, we’re on the edge of someone picking up this technology and running forward with it for better security for enterprise installations,” says Ralph Logan, principal with The Logan Group and vice president of the Honeynet Project.

“It’s a great alarm system—there are no false positives with honeypots.

Honeypots have long been used in research networks, federal government agencies (especially the Department of Defense), and law enforcement for tracking potential attacks, attackers, or perpetrators.  One such application would be for detecting an internal user’s suspicious activity on the network, or if an outsider was poking around the network from the inside, says Logan.  “Most times attackers will use an [enterprise’s] server or end-user PC to further explore the enterprise, so you could have an employee unwittingly being used.”

But once you put up that sexy honeypot and attackers start buzzing around, you’ve exposed yourself, critics say.  Thomas Ptacek, a researcher with Matasano Security, says honeypots not only invite trouble, but they also generate operational overhead that most organizations don’t have the manpower to handle.  Arbor Networks has a “dark IP” monitoring feature that uses unused IP addresses within an organization for the honeypot machines, so it’s obvious when an attacker is knocking.  It used to run honeypots on its DMZs, says Mark Butler, manager of security and compliance services for H&R Block.  The devices detect an attacker’s reconnaissance behavior and respond with “fake” information using ForeScout’s proprietary honeynet technology.  “It gives me trends, such as what type of behavior is going on,” and if connections are coming from Russia, for example, and at what frequency, says Butler, who acknowledges it doesn’t catch everything.

“Once you turn on a honeypot in your network, you’ve created something to keep you up at night,” says Jeff Nathan, software and security engineer for Arbor Networks.

Posted on 08/23