To trap a thief

If you want to break into a house, why spend time prying open the front door if the back door is wide open? Same goes when breaking into computer networks. Most networks and servers are set up with configuration errors that are well known to hackers, who can download free tools that will scan many different networks looking for those easy-open entry points. No genius-level code manipulation or high IQ is needed.

Your network administrators haven't had time to install the latest Microsoft Windows NT security patch yet? Great. A consultant left obvious root access passwords on the firewall he built for you? Even better.

Things get interesting, however, when a security administrator purposely leaves a back door open but hides a tripwire behind it. Now the security person knows when an intruder trips the wire and, with luck, the perpetrator can be caught or scared away before causing any damage.

That's the theory behind "honeypots," which are servers and network equipment designed to attract hackers into secure lockboxes rather than let them hack at the network proper. When criminals move in to exploit security flaws in a honeypot, silent alarms go off and network managers can block the intrusion, begin amassing evidence for use in court or even launch a counterattack.

There are two types of honeypots. Hardware-based honeypots are servers, switches or routers that have been partially disabled and made attractive with commonly known misconfigurations. They sit on the internal network, serving no purpose but to look real to outsiders. The operating system of each box, however, has been subtly disabled with tweaks that prevent hackers from really taking it over or using it to launch new attacks on other servers. A honeypot is easy enough to build, but if an experienced cracker succeeds in compromising it, he could use it to launch other attacks. A safer option might be to create an entire network of honeypots, such as the HoneyNet Project. Lance Spitzner, a security consultant at Sun Microsystems in Chicago, runs the project with 30 other security professionals.

"We call it a 'honeynet' because it's not a single system," he says. It's actually a network of honeypots, full of real hardware, including Cisco switches and Windows NT, Linux and Solaris boxes, all partially disabled. Spitzner's goal is to learn from hacker attacks and share the information on the Web.

Software emulation honeypots, on the other hand, are elaborate deception programs that mimic real Linux or other servers and can run on machines as low-power as a 233-MHz PC. Since an intruder is just dancing with a software decoy, at no time does he come close to actually seizing control of the hardware, no matter what the fake prompts seem to indicate. Even if the hacker figures out that it's a software honeypot, the box on which it's running should be so secure or isolated that he couldn't do anything but leave anyway.

On the other hand, creating a simulation able to fool a master hacker isn't the kind of project most IT shops have the expertise to handle.

Art of deception

More than any piece of equipment or software, the most important attribute of a honeypot is psychological: It has to look attractive and easy to break into, but not too easy. Otherwise, hackers will easily identify the honeypot and go after other servers on the same network. Linux is a good place to start, because there are easily downloadable tool kits for breaking into a Linux server. Spitzner says that on average, it takes only 72 hours for a hacker to begin scanning a new Linux installation on his HoneyNet.

It also helps to know the anatomy of an attack. Many hackers follow similar patterns: running an automated script that scans networks, breaks into systems, downloads tools and then notifies the hacker that a compromised system is ready for use. The downloaded tool kit gives hackers instant access to the compromised system and the ability to rewrite the kernel or use it for anything from launching denial-of-service attacks on other sites to compromising private company data.

After hackers compromised a Linux server on Spitzner's HoneyNet, for example, they tried to scan more than 500 systems in four hours. The hackers were stopped only by the firewall Spitzner erected specifically to keep the HoneyNet systems from serving as launching points that masked the real origin of an attack.

No honeypot, whether hardware or software, can catch every intrusion. "They're handy 'Oh, by the way' tools" but aren't meant to be used alone, says Drew Williams, director of intrusion detection at security firm "They should be considered as yet another module in a comprehensive security solution."

Even with honeypots on the network, hackers could easily attack a real server instead of a fake one, so relying too much on the attractiveness of the honeypot can leave the rest of the network relatively unprotected.

Some question whether using honeypots just invites disaster. "Keep in mind that you are playing with fire," says Spitzner. "Someone far more advanced than you may compromise your honeypot, leaving you open to attack."

Hardware-based honeypots should be isolated, running only the honeypot software, not e-mail servers or other software. Though the honeypot box is attached to the internal network, it shouldn't share or communicate with anything else on the network, in effect making it a virtual lockbox.

"The whole concept of a honeypot is that there should be no production traffic going to or from it. If there's any traffic, then you know it's been compromised," says Spitzner.

Other safety measures include making kernels nonrewritable or setting the machine to reboot whenever someone attempts to change its kernels, so the changes don't take effect.

SNet Systems Corp. sells modified versions of Linux and FreeBSD kernels designed to resist hackers. Barry Schlossberg, security adviser at sNet, says fooling hackers with neutered kernels buys precious time.

"Why did the machine reboot when they tried to put their root kit on it? It baffles them and gives us 30 to 60 minutes to try and identify who and what's coming at the appliance," he says.

For do-it-yourself hardware honeypot builders, Spitzner recommends a product called Mantrap from Recourse Technologies because it runs on real, semidisabled hardware and thus looks real to hackers.

"I'm not a big fan of honeypots that emulate known services," because it's hard to outwit real hackers with pseudo software, Spitzner says. "What's cool about Mantrap is it doesn't emulate anything." The program simply sounds a silent alarm and logs all intruder activity, including keystrokes, for forensic use.

Software emulation might be more useful for corporate environments where business secrets are being safeguarded. For instance, Windows NT doesn't log users' IP addresses, only computer names, so tracking internal activities such as someone attempting to access files in Network Neighborhood that they're not supposed to see is more difficult without using additional tools.

Software from sNet for instance, adds IP logging to Windows NT and simulates NT networks in order to safeguard corporate information. Like all software emulators, it's not real-just an imitation network.

The theory is that if someone has clicked, say, 10 folder levels down in Windows NT's Network Neighborhood into areas they aren't authorized to see, they might have malicious intent.

"There's nothing wrong with casual attempts to rattle the door," such as looking around here and there, says Schlossberg. "[But] how can an 'innocent' person use 50 different log-ins, then 'borrow' the customer database?"

As appealing as it might sound to toy with hacker psychology, only organizations that have covered the basics but have advanced security requirements need to worry much about honeypots. "There are bigger and better priorities. What good is having a honeypot to use as a tripwire mechanism when they're hacking all of your other computers at the same time?" asks Spitzner. "Once [companies] have their firewalls and systems locked down, then you can implement a honeypot."

An appropriate organizational culture is needed, too. "We're finding these systems work better in the military and government worlds than in the regular [world]," Schlossberg says. If anyone should know the art of deception, it's the government and the military, he says, citing such organizations' general siege mentalities and overall awareness, regimentation and standard operating procedures as crucial differentiators.

Internal threats

What happens when companies catch their employees snooping? That's open to legal and ethical debate. Schlossberg says that military entities aside, the companies he deals with almost always refer the matter to their human resources departments. But case law is fuzzy; honeypots could be interpreted as entrapment by leaving a door open.

"The idea to use [honeypots] internally to snoop around on their own staff is still probably somewhat in bad form or in bad taste, as management goes," says Williams. "They shouldn't need to have that process in place, certainly not to the extent that they might have it aimed outward."

Honeypots can also be prime launching spots for nascent attack-backs - doing port scans to find the hacker and then completely wiping out the offending network - in addition to legal action.

For external attacks, "posture depends on the intent of the host. If it's a three-letter agency run out of the Pentagon, they're not going to be as cordial as a credit union in Idaho," Williams adds.

Schlossberg says the push for honeypots isn't coming from US companies, per se. "The impetus is really coming from overseas, where they're looking for immediate attack-back capabilities. There are many countries that have taken a very aggressive position on information warfare; they don't have the same jurisdictional complexes as we do in the US," he says.

Sidebar: Honeypots core elements

Doesn't disclose its existence at any point Is partially disabled so hackers can't still take it over Has a dedicated firewall that prevents all outbound traffic, in case honeypot is compromised Lives in a network DMZ, untouched by normal traffic Sounds silent alarms when any traffic goes to or from it Begins logging all intruder activity when it first senses intrusion Sidebar: HoneyNet Project Security PapersVarious whitepapers dealing with Honeypots. Includes "Know Your Enemy," a series from HoneyNet Project leader Lance Spitzner. Series lays bare the tools and methodology of the most common Internet threat - script kiddies.

Lance's Security Papers

A collection of Lance Spitzner's articles and white papers, dealing with such topics as armoring operating systems and securing firewalls.

FAQ: Firewall Forensics (What am I seeing?)Document explains how to read firewall logs to figure out what hackers coming into or out of your site, or attempting to, might be trying to do.

Design and Implementation of a Deception SystemBarry Schlossberg, security advisor at sNet Systems Corp., outlines a "deception management" strategy.

Join the newsletter!

Error: Please check your email address.

More about INSIntrusion.comMicrosoftNT SecurityRecourse TechnologiesSun MicrosystemsTripwire

Show Comments

Market Place