Honeypots Let You Spy on Your Enemy

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
What's one of the first tenets of warfare?

Know your enemy.

Well, the principal that holds for military warfare holds true fordigital warfare, as well. But it's not like black hat hackers are havinglunch with security administrators and sharing their secrets forintrusions and hybrid worm attacks. So how do you figure out who yourenemy is and what he's trying to do to your network?

The answers lie in the honeypot. According to members of the HoneynetProject and the Honeynet Research Alliance, most of what you need toknow about hackers can be found there. Their new collaborative book,Know Your Enemy: Learning About Security Threats looks athoneypots, honeynets and what they can teach us about the bad guys, aswell as how to successfully set them up yourself.

Honeypots, which have been around for about 12 years but are gaininginterest and momentum, are digital decoys, of sorts. They are built tobe probed and attacked -- an online come-on to blackhat hackers. Oncethe honeypot is attacked, security administrators can watch how thehacker moves around the system, and she can see what tools the hacker isusing and what information he's going after.

It's a way to spy on your enemy.

And if you're lucky, it might even be a form of camouflage. Hackerscould be fooled into thinking they've accessed a corporate network, whenactually they're just banging around in a honeypot -- while the realnetwork remains safe and sound.

There also are honeynets, which are a network of honeypots, loaded upwith real hardware, like Linux boxes, Cisco switches, Windows NT andSolaris. Lance Spitzner, a senior security architect at Sun MicrosystemsInc., created the Honeynet Project with the help of about 30 othersecurity professionals.

Spitzner is one of the authors of the book Know Your Enemy. Hetalked to eSecurityPlanet about what they've learned abouthackers, what companies should be doing to better protect themselves,and if putting together a honeypot or a honeynet is the right thing formost companies.

There also are honeynets, which are a network of honeypots, loaded upwith real hardware, like Linux boxes, Cisco switches, Windows NT andSolaris. Lance Spitzner, an engineer at Sun Microsystems Inc., createdthe Honeynet Project with the help of about 30 other securityprofessionals.

Q: Are honeypots and honeynets the best way to learn about hackers?
It's definitely one of the best ways. You get to watch them operate intheir own environment. It's difficult to survey hackers or talk withthem... With a honeynet, you can watch and analyze what they're doingwithout them knowing they're being watched. What tools do they use? Whatsystems are they going after? Who are they communicating with?

Q: What are some of the more interesting things you've learned abouthackers?
The attackers and threats are far more aggressive and active than mostpeople think. The typical home user, if they have a dedicated connectionto the Internet, is getting scanned about 10 times a day. People thinkthey only go after major companies, but they go after everyone.

And people think of hacker terrorism but most hackers are justcriminals. They're out to make money. There are so many creative ways tomake money hacking computers. They can go online and take information,like addresses and social security numbers, off peoples' computers. Thenthey can use the information or sell it. They might even break intohundreds or thousands of computers and sell these hacked computers tosomeone else. They might set up a porn site on your computer and chargepeople to go see it.

Q: What changes have you seen in how hackers operate?
There have been two big changes. In '97, '98 or '99, you'd see themisguided youth. But in past few years, there's been a switch to thecriminal. People are out to make money. Tools are far more aggressiveand automated. It makes for a different level of sophistication.

Q: What should administrators and CSOs know about yourfindings?
Stay with the basics. People try to go for the latest and greatest. Ifyou're running a current and patched operating system, you should beprotected. Anti-virus software and firewalls will go a long way toeliminating most threats. It's not that hackers have super secretweapons. They're trying to look for mistakes in your environment. Theylook for simple passwords or systems that aren't patched. With 20percent effort, you can eliminate 80 percent of the threat.

Q: Should companies be running their own honeypots orhoneynets?
Commercial organizations? Probably not. Do the basics. If you're havingproblems with patching and such, you shouldn't have a honeynet. Ifyou've got all the basics done, sure. Go ahead. Get a honeynet becauseyou can learn a lot. But most honeynets are run by academics, militaryand government. Stick to what you have to do first. Once you've got thebasics down, honeynets can give you a lot of information, maybe even oninternal threats.

Q: What should companies do to protect themselves that they'regenerally not doing?
Companies are not doing the basics. Most want to pass audit. They wantto be able to tell shareholders that they're secure... In a lot ofcases, you hear about companies being taken out by worms. These exploitshave been known for six months and the patches have been out for sixmonths. That means these companies haven't patched their systems in sixmonths. That's just blowing it on the basics.

Submit a Comment

Loading Comments...