What are the risks of using a honeypot in an enterprise environment?
Honeypots can provide a great deal of insight into an environment's attack activity, and I encourage you to consider them. However, be careful! There are some significant issues that require careful consideration and planning before an enterprise honeypot deployment.
One of the best sources of honeypot information is the Honey Project, led by Lance Spitzner. I'm an alum of that project, and I had a great deal of fun taking part in it. Over the years, I also learned a lot by reading the great research papers at www.honeynet.org.
A honeypot, by definition, is typically a computer that has no actual production use, other than to act as fly paper for attackers. Designed to look unprotected and inviting, its purpose is to lure in malicious hackers to either isolate them or simply learn about their methods. There are a number of variations on the theme beyond full-blown end systems. Honeypot accounts -- that have no production use -- can detect password-guessing attacks; honey tokens, which may include cookies, files, and other data elements, can also be used to track malicious hackers.
Regardless of the honeypot being used, you have to be careful about its compromise and misuse. If a bad guy takes over a honeypot machine and starts using it as a launch point to attack other systems, or worse yet, other enterprises, you have a serious problem. Not only could that spell severe consequences for your career advancement, but you could also be held liable for damages resulting from the honeypot misuse.
Thus, make sure you limit any honeypot's ability to interact with other network systems. The honeypot can be firewalled off, or its connections can be limited by a network-based IPS tool. Monitor your honeypot carefully, using host-based IDS and IPS products. When the detection and prevention systems recognize an attacker, respond quickly before the hacker can cause damage elsewhere in your environment.
Finally, it's important to talk with your lawyers about any legal issues that may arise from enterprise honeypot monitoring and deployment.
- Read a chapter from the book: Virtual Honeypots: From Botnet Tracking to Intrusion Detection.
- Listen to author Niels Provos demonstrate how virtual honeypots can collect malware.
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Ed Skoudis
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
By viewing a page's HTML source code and writing malicious scripts to a drop-down list, hackers may be able to re-post the malicous page to the ... Continue Reading
Password cracking may be a hacker's specialty, but there are also many strategies to keep passwords secure. Continue Reading