Honeypots, what is their limits for intrusion detection?

Hi,
I have a newbie question related to intrusion detection. It was
suggested to me that Honeypots only catches automated attacks, is that
true? How can we know which attacks are not caught? Is there any papers
on what sort of attacks are caught by using honeypots?

Regards
Tomas


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Tomas,

 From a misuse detection pov it will obiviously alert you on potential  
attacks to a honeypot. But any and all traffic destined to a honeynet
(pot) should be deemed suspicious or malicious as there is no  
legitimate reason for communication between these hosts and others.  
This could also serve as an early warning system since all trafic is  
suspicious at the very least.

A honeypot(net) are also not productional systems so their downtime  
for analysis is not problem and this is where the true value comes in.  
An IDS can't tell you if successful or not just that it saw something  
with ful blown access such detrmination can be made on top of method,  
tools and what they did once they got in, etc...

A great use-case. There was a worm released with no A/V or IDS covrage  
that was discovered through the traffic generated towards the honeynet.

Hope that helps,

----
Sent from my iPhone

On Jul 1, 2009, at 4:18 AM, Tomas Olsson <tol@...> wrote:

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Hi Tomas,

That is not true.  There are many types of honeypots and honeynets.
What that person may have been talking about are low interaction
honeypots as opposed to high interaction honeypots.  High interaction
honeypots allow and attacker into the machine (since they are
purposely insecure) and there are many tools like sebek and
snort-inline to help you figure out exactly what went on in your
honeypot.  For example sebek, which is a kernel mode rootkit, can
capture all the commands the attacker entered even if he communicates
over SSH.  You will be able to capture all of his tools, exploits and
whatever else be brought over.  You should look into the honeynet
project and the honeywall CD called Walleye if you are interested in
learning more (http://old.honeynet.org/papers/virtual/).  Papers are
located here: http://www.honeynet.org/papers and the honeynet mailing
list is available here:
http://www.securityfocus.com/archive/119/description

There is also a wealth of information here
http://www.honeypots.net/honeypots/links

If you have any questions please feel free to ask, but you'll more
likely be able find more information on the honeynet mailing list or
by asking me :)

I'll also be writing about the honeynet project soon at my blog:
http://nodereality.com

I hope that helps




On Tue, Jun 30, 2009 at 10:18 PM, Tomas Olsson<tol@...> wrote:
-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

I'll first say that honeypots are not a substitute for a decent IDS/IPS posture, or network analysis/server protection. I consider honeypot use an advanced technology that has only minimal value to most shops.

To answer your question, a honeypot will be able to detect two things:
- automated attacks that include your honeypot/net
- manual attacks that include your honeypot/net

Note that if a manual attack starts attacking your web servers and if they don't find the honeypot, then the honeypot is worthless to you and won't help you detect the ongoing intrusions. You won't know anything or be able to make any conclusions based on a quiet honeypot or which attacks it missed since you can never have the whole picture.

It might sound like I'm ragging on honeypot concepts, but I'm just trying to bound the value of it. There *is* value in it, but it is limited.

1. If you have a specific interest in examining the tools attackers use or capture and analyze malware, honeypots are possibly invaluable to you. However, most organizations simply neither care nor have the spare manhours to devote to such endeavors. No harm there; most admins don't get anything from analyzing that stuff on company time. If you donate such captured stuff to companies who do specialize in that, then maybe you can see some value in giving back to the community to make everything more secure...

2. Honeypot concepts tend to "borrow" the value of monitoring your dead network space for traffic as one reason to use honeypots. I don't buy that specifically, but there is value in monitoring your dead space on the network. If you have unused IP addresses and someone does a recon sweep of your IP block, you'll see that traffic trying to find your dead space. There should only be few (if any) legitimate reasons for your dead space to be scanned or poked at. This is the biggest value, but is not necessarily something that honeypot technology alone will provide. You can do this in other ways.

It's kinda like making a miniature house inside a window on your house that you leave unlocked so when an attacker climbs in, they're just in this fake house and not your own...that way you can watch what they do and where they look for your valuables. (Any MacGyver fans?) Most people only care that someone is getting into their window, and so put alarm on it. All the rest is not of value to most people.


All of that said, if you have an interest in it, I certainly wouldn't discourage getting into it. You, as a person, can learn a lot just by setting it up and catching some things, most probably automated unless you have something of value hanging out there for manual attackers. Just, most corporations have little need for it.


<- snip ->
Hi,
I have a newbie question related to intrusion detection. It was
suggested to me that Honeypots only catches automated attacks, is that
true? How can we know which attacks are not caught? Is there any papers
on what sort of attacks are caught by using honeypots?

Regards
Tomas

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194