Low-interaction honeypots find the what, when, and how of an attack: “They are there to capture automated attacks and malware,” and don’t really interact with the attacker, he says.
High-interaction honeynets let the attacker exploit and interact with the machines more actively, thus capturing more details about the attack and attacker.
Not only do they incur overhead for IT — you need staff to manage them and their flow of information — but they are also limited to known vulnerabilities, for instance. “Honeynets are great collecting tools, but unfortunately the majority of the time they don’t provide information on a vulnerability that was not already public. Arbor, like other organizations that dabble in this type of attack analysis, uses a combination of darknets and honeynets to track malicious traffic for its ISP customers in its Atlas service.
“No one knows it’s a honeypot — it looks like an enterprise server.” That’s especially useful when attackers are targeting a specific organization’s IP addresses, he says. If they try to log onto a honeypot, they are doing something outside your corporate policy.” And the insider threat may be the sweet spot for honeynets in the enterprise, where the practice has not had much widespread use due to the overhead associated with the all the data they gather, as well as worries about asking for trouble by putting one up.
He says the Big Brother argument doesn’t fly here: “Corporations are well within their rights to deploy honeynets to secure their own networks and identify anyone doing things outside the corporate policy.”
http://www.darkreading.com/document.asp?doc_id=119081&WT.svl=news1_1