Honeypots: the trap is set.

Author:Choudhury, Tareque
Position:Database And Network Intelligence

A honeypot is used for internet and computer security. It is a resource that is designed to be attacked and compromised to gain more information about the hacker, such as attack techniques and the motives for breaking in. A honeypot can also be used to divert an attacker from one's production network allowing time for the administrator to react. One of the main goals of a honeypot is educational: to allow one to research hacker activity.

Honeypot Basics

In the information security arena, many professionals are fascinated by honeypot because observers can see real live information about an attack and not just hear about it. Many of us hear of websites being defaced or a bank being hacked into, but how many of us actually know how they got in and exactly what was done?

With honeypots, one can determine how an attacker broke in and exactly what they did. Lance Spitzner, founder of the Honeynet Project, defines the term "honeypot" as follows: "A honeypot is a resource whose value is being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information."

Essentially a honeypot is a tool to gather information, learn about malicious activities and to see trends in this type of activity. It is a system designed to be probed and attacked. To gain knowledge requires monitoring and gathering data to and from these systems. Without this, the honeypot tool is useless.

Types of Honeypots

Marty Roesch, creator of Snort, distinguishes between two categories of honeypots: production honeypots and research honeypots. A production honeypot is used to mitigate risk in an organization. A research honeypot is used to gather as much information as possible so that one can learn from it. Some people argue that these devices do not add security value; however, I differ with this. If a honeypot provides 15 to 20 minutes of extra time for an administrator to react so that he can protect his production network, then there is value right there. If a new exploit is learned by using a honeypot, this is also of benefit to information security because appropriate countermeasures can be developed to defend against this new attack.

How can honeypots add security to an organization?

A honeypot is a tool intended to be compromised. All traffic to and from the honeypot is suspicious because there are no production applications on this system...

To continue reading