Honeyclients bring new twist to honeypots


This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."

Download it now to read this article plus other related content.

"This has been driven both by advancements in secure coding practices for server-side software and, more importantly, by the explosion of phishing and identity theft attacks," says Michael Sutton, the security evangelist for SPI Dynamics, which was recently acquired by HP. "Attackers have realized that it is easier to find a weak point when targeting employees and end users versus a hardened server, which is actively protected."

The situation is fairly depressing. There are compromised Web sites in most any subject category, according to honeynet researchers.

"Anybody accessing the Web is at risk regardless of the type of content they browse for or the way the content is accessed," writes Holz and four other authors of the Honeynet Project paper Know Your Enemy: Malicious Web Servers. "Adjusting browsing behavior is not sufficient to entirely mitigate such risk. Even if a user makes it a policy to only type in URLs rather than following hyperlinks, they are still at risk from typo-squatter URLs."

Flying Across the Web
Because the honeynet server isn't a destination site for any ordinary user, security researchers say that any access recorded by the server is probably from someone up to no good. In contrast, researchers using honeyclients must discern which sites it visits are malicious and which are benign, since they are using a collection

    Requires Free Membership to View

of URLs whose security status is undetermined.

Honeyclients have three components:

  • An automated script-based system that drives the PC and Web browser to visit a series of URLs in the hope of finding a compromised Web server.

  • A recording program that documents changes to the PC, just like the one used on the honeynet.

  • A series of virtual machines running multiple PC and browser sessions on the same physical system. After each session is completed and any changes are recorded, the virtual machine is restarted with a clean image before trying the next URL in the sequence.
Honeyclients can uncover new forms of malware that may not be reported or publicized, giving security researchers a jump on the bad guys. This is because they look for changes to the underlying OS and browser configuration, rather than scan for attack signatures or behavioral patterns.

This was first published in November 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: