What are the risks of using a honeypot in an enterprise environment?
Honeypots can provide a great deal of insight into an environment's attack activity, and I encourage you to consider them. However, be careful! There are some significant issues that require careful consideration and planning before an enterprise honeypot deployment.
One of the best sources of honeypot information is the Honey Project, led by Lance Spitzner. I'm an alum of that project, and I had a great deal of fun taking part in it. Over the years, I also learned a lot by reading the great research papers at www.honeynet.org.
A honeypot, by definition, is typically a computer that has no actual production use, other than to act as fly paper for attackers. Designed to look unprotected and inviting, its purpose is to lure in malicious hackers to either isolate them or simply learn about their methods. There are a number of variations on the theme beyond full-blown end systems. Honeypot accounts -- that have no production use -- can detect password-guessing attacks; honey tokens, which may include cookies, files, and other data elements, can also be used to track malicious hackers.
Regardless of the honeypot being used, you have to be careful about its compromise and misuse. If a bad guy takes over a honeypot machine and starts using it as a launch point to attack other systems, or worse yet, other enterprises, you have a serious problem. Not only could that spell severe consequences for your career advancement, but you could also be held liable for damages resulting from the honeypot misuse.
Thus, make sure you limit any honeypot's ability to interact with other network systems. The honeypot can be firewalled off, or its connections can be limited by a network-based IPS tool. Monitor your honeypot carefully, using host-based IDS and IPS products. When the detection and prevention systems recognize an attacker, respond quickly before the hacker can cause damage elsewhere in your environment.
Finally, it's important to talk with your lawyers about any legal issues that may arise from enterprise honeypot monitoring and deployment.
- Read a chapter from the book: Virtual Honeypots: From Botnet Tracking to Intrusion Detection.
- Listen to author Niels Provos demonstrate how virtual honeypots can collect malware.
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Ed Skoudis
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ...continue reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ...continue reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.