Question

Give an example of how a network administrator could use a honeypot to detect malicious insider behavior.

(Computer Security II)

Answer 1

A honeypot makes identifying malicious traffic dead simple. That's because any traffic to a honeypot, after some initial quick tuning to rule out false positives, is suspicious. A honeypot is a fake computer asset that exists only to alert its owner if it is touched. Nobody should be touching it or attempting to log on. Because all activity is illegitimate, no analysis is needed to tell good traffic from bad.

A honeypot is a system that's put on a network so it can be probed and attacked. Because the honeypot has no production value, there is no "legitimate" use for it. This means that any interaction with the honeypot, such as a probe or a scan, is by definition suspicious.

Let's take a closer look at honeypots' unique detection capabilities to understand how they will complement IDSes:

• IDSes and honeypots differ fundamentally in the way they attempt to detect malicious traffic. IDSes have the advantage of monitoring all traffic, flagging threats through a combination of known attack signatures and statistical anomalies. The flip side of this is the sheer volume of information IDSes produce--gigabytes of data. Some large organizations may have to deal with more than 100,000 alerts a day, many of them false alarms.

• Hackers can slip through network defenses by using encryption or IPv6 tunneling. IDSes are useless against this kind of traffic. But it's a different story if hackers connect to a honeypot using, say, SSH, IPv6 or the encoded (and not yet commonly used) Network Voice Protocol. First, you know they're up to no good, because nice people don't connect to honeypots. Once inside, you can capture every action, including toolkits, keystrokes and communications. As more and more legitimate traffic is encrypted and uses IPv6 tunneling, organizations will begin to turn to honeypots to complement their IDSes.

• Honeypots are less comprehensive, but more discerning. Honeypots only report the connections they receive--and most of these will be real attacks. This means your organization has far less, but more precise information to analyze, allowing you to more quickly identify and respond to attacks.

• Honeypots detect and capture new attacks or methods. That means regardless of the tactics used, honeypots will most likely detect and capture the activity. Examples of these attacks discovered by honeypots include the Solaris dtspcd and Samba exploits.