Honeypots: The Right Ones, The Right Way
"Honeypot" trap networks and honey networks can provide solution providers with increasingly valuable--and, importantly--actionable intelligence. It's independent, it's real-time, and, if enabled correctly, can provide a better window on emerging threats and trends than just third-party sources alone.
For more than a year, the CRN Test Center has used KFSensor, KeyFocus' Windows Honeypot intrusion detection software. Integrated into our test network, it has provided us with consistent, leading indicators of changes to the threat landscape. Surges in SQL injection attacks, denial of service attacks and increase in database hacking attempts from Eastern European geographies all came into focus in our trap network, sometimes weeks before major third parties discussed them publicly.
Over the course of more than a year, we've found KfSensor to be safe, effective and relatively easy to set up and maintain. We wanted to take a look at alternative honeypot applications, but those that are available are few and far between. (Some major security software vendors have previously provided this technology. Symantec, for example, has in the past offered something called a Decoy Server.) The major security vendors do a good job of tracking threats in realtime and providing signature regular updates to server and client software to limit zero-day attacks. What separates a honeypot from most commercial intrusion detection applications is that everything about it is fake--it's a fake network with fake ports and fake nodes on that network.
Open source provides one avenue to obtain continually updated and refined methods and code for trap networks, and The Honeynet Project (which can be found at honeynet.org) is a good starting point. The Honeynet Project provides links to a number of open source and free downloadable IDS applications, supporting software (like data readers) and similar projects. A number of them look to show promise, however, they also provide documentation that indicates significant time, preparation and resource to install.
Separately, we also tried HoneyBOT from Atomic Software Solutions: a free downloadable IDS application. Installed on a Windows Server 2003 VM, it was up and running within a few minutes. In the span of nine hours, it logged several hundred of what it classified as intrusion attempts into a fake network with two open ports and three remote nodes. That matched the same number that
KFSensor turned up during roughly the same period--although KFSensor provides much more detailed, ready and easy-to-read data than HoneyBOT. (With KFSensor, you can easily keep track of which IP address is forwarding the suspect traffic to your network, what the specific behavior indicates and the severity of the threat. With HoneyBOT, packet data must be exported and then examined on a case-by-case basis to determine those details.)
What's the value? By using KFSensor, for example, we found that on one evening in early December, our test network was bombarded by a sudden increase in suspicious pinging and activity coming from IP addresses in Illinois, Rotterdam and Cairo. We were then able to blacklist those IP addresses from poking around at our real network.
Neither application, KFSensor nor HoneyBOT, showed any indication of outsiders gaining access to any other portion of the network besides the fake nodes they created. In other words, we found them to be safe.
The bottom line: We'll continue to use KFSensor in our test network, and we think there are a number of cases where VARs and solution providers may find it helpful, too, in tracking trends, realtime threats and new security issues as they emerge in the real world--even if the network that's luring those black hats is, in fact, a fake.