What security risks do enterprise honeypots pose?
What are the risks of using a honeypot in an enterprise environment?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Honeypots can provide a great deal of insight into an environment's attack activity, and I encourage you to consider them. However, be careful! There are some significant issues that require careful consideration and planning before an enterprise honeypot deployment.

One of the best sources of honeypot information is the Honey Project, led by Lance Spitzner. I'm an alum of that project, and I had a great deal of fun taking part in it. Over the years, I also learned a lot by reading the great research papers at www.honeynet.org.

A honeypot, by definition, is typically a computer that has no actual production use, other than to act as fly paper for attackers. Designed to look unprotected and inviting, its purpose is to lure in malicious hackers to either isolate them or simply learn about their methods. There are a number of variations on the theme beyond full-blown end systems. Honeypot accounts -- that have no production use -- can detect password-guessing attacks; honey tokens, which may include cookies, files, and other data elements, can also be used to track malicious hackers.

Regardless of the honeypot being used, you have to be careful about its compromise and misuse. If a bad guy takes over a honeypot machine and starts using it as a launch point to attack other systems, or worse yet, other enterprises, you have a serious problem. Not only could that spell severe consequences for your career advancement, but you could also be held liable for damages resulting from the honeypot misuse.

Thus, make sure you limit any honeypot's ability to interact with other network systems. The honeypot can be firewalled off, or its connections can be limited by a network-based IPS tool. Monitor your honeypot carefully, using host-based IDS and IPS products. When the detection and prevention systems recognize an attacker, respond quickly before the hacker can cause damage elsewhere in your environment.

Finally, it's important to talk with your lawyers about any legal issues that may arise from enterprise honeypot monitoring and deployment.

More information:

  • Read a chapter from the book: Virtual Honeypots: From Botnet Tracking to Intrusion Detection.
  • Listen to author Niels Provos demonstrate how virtual honeypots can collect malware.

    • This was first published in January 2008