Inside Honeypot!!
Honeypots!!??? This was my expression the other day when I was asked what they were actually!
And so here I end up once again at my desktop, after all this is the only place where I found most of the weird answers as well as hi-tech news! :D
I guess its enough now, let us learn(only for people like me who know nothing about these :P) what these honeypots actually are?
A Honeypot is basically a surveillance tool , they are the traps set to detect, deflect or rather counteract the attempts of unauthorized access into information systems.Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot.
A honeypot ,while is often a computer , can take on other forms, such as files or data records, or even unused IP address space. A honeypot that masquerades as an open proxy in order to monitor and record the activities of those using the system is called a sugarcane. Honeypots should have no production value and hence should not see any legitimate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized. One very practical implication of this is that honeypots designed to thwart spam by masquerading as systems of the types abused by spammers to send spam can categorize the material they trap 100% accurately: it is all illicit.
Honeypots are a highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering.
Honeypots all share the same concept: a security resource that should not have any production or authorized activity. In other words, deployment of honeypots in a network should not affect critical network services and applications. A honeypot is a security resource who's value lies in being probed, attacked, or compromised.
Honeypots can be classified based on their deployment and based on their level of involvement. Based on the deployment, honeypots may be classified as
- Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations;
- Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.
Detection
Just as honeypots are a weapon against spammers, honeypot detection systems are a spammer-employed counter-weapon. As detection systems would likely use unique characteristics of specific honeypots to identify them; a plethora of honeypots in use makes the set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software: a situation in which "versionitis" (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred Cohen, the inventor of the Deception Toolkit, even argues that every system running his honeypot should have a deception port that adversaries can use to detect the honeypot. Cohen believes that this might deter adversaries.
Books and Resources
- Honeypots and Deception Books
- Honeypots for Windows by Roger Grimes
- Virtual Honeypots
- Honeypots, Lance Spitzner, Book - Barnes & Noble
- Honeypots Tracking hackers
- Whitepapers and Resources
- Creating Intrusion Detection signatures using Honeypots
External Links
- Distributed Open Proxy Honeypots Project: WASC
- The Honeynet Project
- Know Your Enemy: Everything you need to know about honeypots
- SANS Institute: What is a Honey Pot?
- mwcollect Project
- nepenthes Project
- honeytrap Project
- Developments of the Honeyd Virtual Honeypot
- Open source client honeypot
- Open source low interaction client honeypot
- Canadian Honeynet Project | Canadian Honeypot Security Research
- Incident Analysis of OpenBSD Honeypot
- European Network of Affined Honeypots
- Mexican Honeynet Project
- Honeypots Information (Shadowserver Foundation)
0 comments:
Post a Comment