Honeypots Let You Spy on Your Enemy
What's one of the first tenets of warfare? Know your enemy. Well, one of the authors of a new book tells eSecurityPlanet that using honeypots is one of the best ways to do just that.
Know your enemy.
Well, the principal that holds for military warfare holds true for digital warfare, as well. But it's not like black hat hackers are having lunch with security administrators and sharing their secrets for intrusions and hybrid worm attacks. So how do you figure out who your enemy is and what he's trying to do to your network?
The answers lie in the honeypot. According to members of the Honeynet Project and the Honeynet Research Alliance, most of what you need to know about hackers can be found there. Their new collaborative book, Know Your Enemy: Learning About Security Threats looks at honeypots, honeynets and what they can teach us about the bad guys, as well as how to successfully set them up yourself.
It's a way to spy on your enemy.
And if you're lucky, it might even be a form of camouflage. Hackers could be fooled into thinking they've accessed a corporate network, when actually they're just banging around in a honeypot -- while the real network remains safe and sound.
There also are honeynets, which are a network of honeypots, loaded up with real hardware, like Linux boxes, Cisco switches, Windows NT and Solaris. Lance Spitzner, a senior security architect at Sun Microsystems Inc., created the Honeynet Project with the help of about 30 other security professionals.
Spitzner is one of the authors of the book Know Your Enemy. He talked to eSecurityPlanet about what they've learned about hackers, what companies should be doing to better protect themselves, and if putting together a honeypot or a honeynet is the right thing for most companies.
There also are honeynets, which are a network of honeypots, loaded up with real hardware, like Linux boxes, Cisco switches, Windows NT and Solaris. Lance Spitzner, an engineer at Sun Microsystems Inc., created the Honeynet Project with the help of about 30 other security professionals.
Q: Are honeypots and honeynets the best way to learn about hackers?
It's definitely one of the best ways. You get to watch them operate in their own environment. It's difficult to survey hackers or talk with them... With a honeynet, you can watch and analyze what they're doing without them knowing they're being watched. What tools do they use? What systems are they going after? Who are they communicating with?
Q: What are some of the more interesting things you've learned about
The attackers and threats are far more aggressive and active than most people think. The typical home user, if they have a dedicated connection to the Internet, is getting scanned about 10 times a day. People think they only go after major companies, but they go after everyone.
And people think of hacker terrorism but most hackers are just criminals. They're out to make money. There are so many creative ways to make money hacking computers. They can go online and take information, like addresses and social security numbers, off peoples' computers. Then they can use the information or sell it. They might even break into hundreds or thousands of computers and sell these hacked computers to someone else. They might set up a porn site on your computer and charge people to go see it.
Q: What changes have you seen in how hackers operate?
There have been two big changes. In '97, '98 or '99, you'd see the misguided youth. But in past few years, there's been a switch to the criminal. People are out to make money. Tools are far more aggressive and automated. It makes for a different level of sophistication.
Q: What should administrators and CSOs know about your
Stay with the basics. People try to go for the latest and greatest. If you're running a current and patched operating system, you should be protected. Anti-virus software and firewalls will go a long way to eliminating most threats. It's not that hackers have super secret weapons. They're trying to look for mistakes in your environment. They look for simple passwords or systems that aren't patched. With 20 percent effort, you can eliminate 80 percent of the threat.
Q: Should companies be running their own honeypots or
Commercial organizations? Probably not. Do the basics. If you're having problems with patching and such, you shouldn't have a honeynet. If you've got all the basics done, sure. Go ahead. Get a honeynet because you can learn a lot. But most honeynets are run by academics, military and government. Stick to what you have to do first. Once you've got the basics down, honeynets can give you a lot of information, maybe even on internal threats.
Q: What should companies do to protect themselves that they're
generally not doing?
Companies are not doing the basics. Most want to pass audit. They want to be able to tell shareholders that they're secure... In a lot of cases, you hear about companies being taken out by worms. These exploits have been known for six months and the patches have been out for six months. That means these companies haven't patched their systems in six months. That's just blowing it on the basics.