Thursday, September 19, 2013

Honeypots: When and when not

Under what conditions should you consider implementing a honeypot? And, under what conditions should you not operate a honeypot?

Honeypots make excellent research tools for tracking spam and worm propagation. Tang and Chen suggest a worm detection strategy of using two honeypots, one that receives data from the network and one that only can receive data from the first. They first hypothesize, then support, that such a setup can be used to automate the detection and collection of even unknown worms. By limiting the traffic seen on the second machine to being 100% malicious, traffic signatures can be developed automatically. (2005)

A situation where a honeypot should not be used is one where you are unable to control outgoing packets. Since the purpose of the honeypot is to allow attackers to exploit it, the server can be re-purposed as an attack platform if not properly controlled. Hallberg et al describe how poorly protected honeypots pose a serious vulnerability to your network. They discuss the vulnerability being so severe that re-purposed honeypots could likely be seen as making the operator liable for downstream damages launched utilizing the platform. (2009)

Hallberg, C., Kabay, M. E., Robertson, B., & Hutt, A. E. (2009). Management Responsibilities and Liabilities. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Tang, Y., & Chen, S. (2005, March). Defending against internet worms: A signature-based approach. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE (Vol. 2, pp. 1384-1394). IEEE.

No comments:

Post a Comment