What are Honey Pots and Honey Nets?

Honey Pots are decoy systems designed to lure potential attackers away from ciritical systems. These systems are made to appear valuable and accessible (to varying degrees). Honey pots are deployed to attract attackers away from the real system resources and to give administrators information on the attacker.  Often honey pots are deployed in a virtual environment.

A Honey Net is a collection of honey pot systems on the same subnet.

For further clarification:

• “Principles of Information Security” pages 320-323
• Wikipedia.org
• SANS Institute

Types of Honey Pots

There are two primary types of honey pots:

• Production honey pots are installed within production systems at companies and corporations in order to mitigate the risks that attacker pose. These honey pots are primarily low-interaction level that gather less information but are easier to implement and maintain.
• Research honey pots are run primarily by non-profit private groups of volunteers, in government, and education. These honey pots gather significantly more information on the attacker and are generally used as a means of counter intelligence.

Levels involvement within the use Honey Pots:

• Honeyd (low-interaction): These daemons allow for a virtual network of honey pots to run on a single host. The honeyd uses unused IP addresses on the network and runs scripts that appear to an attacker to be services in order to give the appearance of a production system. Honeyd is licensed under GPL.
• mwcollect, nepenthes, honeytrap: mwcollect and nepenthes are both used to collect information on autonomous spreading malware and logs the attacker’s moves. It can then virtually download copies of the malware for analysis. Honeytraps listen in on TCP port connections for the attacks. Like the other two listed, honeytrap can download the attacking malware – then honeytrap can launch an attack on the initiator with the same software.
• Honeynet (High-Interaction): Network of real hosts that have stealth keyloggers and system event loggers. These systems may also be distrubted – meaning that the honeynet is setup in one location with many redirectors across the internet that link back to it (to avoid blacklisting from attacking software).

Honey Pots: Considerations

Recall that honeypots are themselves only diversions. The only opportunity for a honeypot to increase security is through drawing away attackers and then gaining intelligence on the attacker. There are a number of considerations involved with this method of security. (Based on “Principles of Information Security” page 320-323)

• The legal implications of using honey pots are not well defined. The line between enticement (legal) and entrapment (illegal) can be gray at best – and may be rigorously debated in both the courtroom and the boardroom. Just how low can one wave the honey and still not bear at least some responsibility for the attackers’ actions?
• Honey pots and padded cells have not yet been shown to be generally useful security technologies.
• An expert attacker, once diverted into a decoy system, may become angry and launch a more hostile attack against an organization’s system
• Administrators and security managers need a high level of expertise to use these systems.

There is also sufficient reason to be concerned with what I call the “honey pot mentality.”

• Taking information on the attacker, it can often be a temptation of administrators to back hack – or hack into the attacker’s system to gain more information or cause harm in retribution. This is vigilante justice, pure and simple.
• Be wary of wasp trap syndrome. When a homeowner wishes to be rid of a few wasps flying in the backyard, they will often use a wasp trap. These traps however, because they are scented, attract far more wasps than were originally present.