Honeypots can strengthen reconnaissance and lower intrusion noise

The concept of a honeypot is fairly simple: Put a supposedly vulnerable computer containing valuable information on your network or perimeter DMZ, then sit back and wait for hits on the system. Since there's no valid business purpose for access, the honeypot system will reliably indicate hacker attempts or suspect activity. Technically astute staffers, system maintenance and a sound policy defense are required investments, yet for some organizations honeypots provide a cost-effective, proactive security layer for sensitive information systems.

Honeypots entice intruders to focus on faux computer systems, while documenting an evidence trail. The systems replicate vulnerable servers and workstations. Depending upon the product and the amount of customization performed, a honeypot can appear to run susceptible applications and contain valuable intellectual property. The assumption is that the hackers will focus their efforts on the information and systems, and allow the security personnel to study their efforts.

  •

    Requires Free Membership to View

The value of a honeypot placed behind a firewall, or in another protected network location, is its ability to filter out which attacks truly need investigating. Unauthorized access attempts, from within and outside an organization pound networked systems daily. In fact, individual IP addresses are scanned 3-5 times a day given the abundant broadband connections, widely available scanning tools and thousands of script kiddies. All this translates into an inordinate amount of intrusion noise. While intrusion-detection systems can identify suspect traffic patterns, they also create false positive alerts (and, even worse, false negatives). Where as, honeypots, while subject to false positives, incur bogus results less frequently (typically from mistyped IP addresses and system names or IT's use of network scanning tools for finding vulnerabilities).

More importantly, the suspect activity identified on a honeypot system can hone an organization's threat reconnaissance. It enables security pros to refine their searches for new attacks, and potentially assess the skill and intent of the attacker. A honeypot system acts as an early warning system -- it identifies an attack in progress, highlights the methods the attacker is using and reveals what the perpetrator is looking for.

From a technological perspective, honeypots have little downside. But there's more to consider than technology, such as the technical ability and available time of your administration and security staffs. Giving an overworked staff more tasks to do won't generally improve an organization's security. And, if the staff isn't technically competent to understand, implement, maintain and act on the information attained in using the honeypot system it will have minimal effect on improving security. However, it's a great tool for staffs that adequately maintain their own systems, and individual departments that work on highly sensitive information or maintain a large number of computer systems. In general, random departments within a company should leave honeypots to the corporate security staff.

There are potential legal arguments as well, which are sometimes used by intruders snagged by honeypots: Some argue that the honeypot was an "attractive nuisance" or its use amounts to entrapment. While such arguments could be ignored, they've been commonly raised as a defense. As long as your company has the appropriate computer usage policies for insiders, and the standard warnings for outsiders, you shouldn't have a problem.

For organizations with valuable intellectual property, knowledgeable security staff, and adequate time for maintaining faux systems and managing detected incidents, honeypots provide a strong value proposition.

About the author
Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

This was first published in January 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.