Honeypots wreak sweet revenge against cyber intruders

By Winn Schwartau
Network World, 12/04/00

In the world of warfare, the term "asymmetry" means that one adversary isn't playing by the rules. Recently, some colonels in Beijing took a staunch asymmetrical position against the U.S., effectively declaring unrestricted war on our networks. Essentially, their message was, "Since the U.S. can beat us with conventional and nuclear weapons in any kinetic/physical conflict, we in China hereby declare the U.S. economy, private sector and critical infrastructures to be legitimate targets."

Infowar-ish events, spurred by world politico-religious discontent, only exacerbate a network manager's natural security concerns. Who is that knocking at your door? Is it the kid next door sport-hacking, or a national assault against your e-commerce site or communications infrastructure?

The technology to identify the "bad guys" is finally getting somewhat better than the old-fashioned static intrusion-detection systems. Emerging technologies are looking more at the dynamic behavior of electronic visitors to determine, with varying degrees of accuracy, who is a good guy (buyer/customer) and who is a bad guy (use your own definition for that).

One of these emerging technologies is called a deception system, or honeypot. Security expert Robert Graham defines a honeypot as a system designed to look like something an intruder can hack. (For Graham's intrusion-detection system FAQ, which includes a good overview of honeypots, go to his site.)

Ancient military leaders had horses pull logs to generate large amounts of dust to convince their adversaries that massive amounts of troops were on the way to battle. During World War II, the Department of the Army painted the roofs of military-related buildings to look innocuous and civilian.

Translating these premises to networks is conceptually simple. One way is to add a dedicated deception server with the sole purpose of looking like a proverbial honeypot or cookie jar to people with hostile intent.

One of the more popular locations for deception devices is inside the network, as a means of handling attacks from disgruntled employees and other malicious users with legitimate network access. Logging at deception points or central servers becomes an issue, especially if any future legal action is anticipated. Logs can provide good forensic evidence for a prosecution, but the logs should be recorded to a nonmodifiable media such as CD-Recording to prove that the evidence was not tampered with. Also, a cryptographic seal around the logged files makes for a stronger forensic trail.

Several recent case studies have shown that deception methods tend to keep some bad guys at arm's length because they know their actions are being monitored. Internal honeypots with names such as SAP or PeopleSoft tend to attract hits from insiders, which suggests that critical servers should be named something that does not attract attention.

It's wise to consult your human resources department before deploying internal deception systems because employee monitoring can be controversial. Companies generally have the right to monitor employees, but how this is done and what employees are told is a matter for management to decide.

While not a network security panacea, deception is another option for the security-conscious organization, especially for monitoring insider threats. Deception products are hitting the market. CyberCop-Sting from Network Associates is based on the vendor's existing technologies. ManTrap from Recourse Technologies builds deception tools, and sNET from sNET Systems provides a complete suite of deception options. Or if you're into building your own, check out www.all.net for Fred Cohen's Deception Tool Kit.

In the end, though, Winston Churchill said it best: "In war, truth is so precious, it must be protected by a bodyguard of lies." Why not try the same thing with your network?