Understanding how a hacker works and knowing the tools
they use is key to preventing our systems getting attacked. Using
honeypots could be the answer, says Tareque
Choudhury.
Malicious blackhat hackers are using our networks as
tools. Tools to commit crime. They jump from system to system using
innocent victims as their vehicle to attack and deny vital
services.
In order for security professionals to better defend themselves
against these types of users, we must understand what they do and
how they do it. This is where honeypots are used.
Lance Spitzner, founder of the Honeynet Project, defines the
term honeypot as, a resource whose value is being attacked or
compromised.
This means that a honeypot is expected to get probed, attacked
and potentially exploited. Honeypots do not fix anything, but the
do provide us with additional, valuable information.
A honeypot is a basic system tweaked in order to capture attack
information. For example a RedHat machine configured as a web
server, tweaked to send its logs discreetly to a remote system for
later analysis.
A honeypot (or honeynet if it involves more than one honeypot)
is created within a simple network and has three levels of logging
which has to be implemented firewall, intrusion dectection
system and system logs.
An IDS should be used to monitor the network traffic so that the
data stream can be logged for network analysis.
A firewall should also be implemented, not to protect the
honeypot itself, but to protect third-party hosts from attacks from
the honeypot.
If the honeypot were to get compromised then one would not want
it to be used as a host to attack other hosts on the internet. What
the firewall also provides is the first level of logging. All
packets must enter the honeypot via the firewall so logging should
be implemented on this device.
Honeypots provide the security professional with knowledge about
security issues such as new trends, tools and exploits.
Most professionals can relay information that a system has been
broken into or a security incident has occurred, but not many can
fully comprehend what has happened and how it has happened - which
is fundamentally important. This is where honeypots play a vital
role as they provide a wealth of information.
The key to building a good and successful honeypot is to make
sure that the data collected is protected and not lost. Without
the captured data, there will be nothing learnt and therefore no
knowledge is gained.
All logs should be sent remotely as discreetly as possible -
this includes the firewall and IDS logs. The logging server should
be on a separate network behind another firewall so that it can be
protected. A good hacker will soon determine that logs are being
sent remotely, and will try and attack the logging server so he or
she can destroy any evidence.
Information technology is vital in today’s society. It assists
in running our healthcare systems, higher education and
government, among other things.
These sectors spend huge amounts of money in research to help
develop technology that is vital to their progress. For example,
the medical field invests in teams of researchers to study new
diseases, so that new defences can be developed.
As such, honeypots are a great research tool in the security
field. I believe that funding needs to be put aside for this type
of research so that we can better equip ourselves as a society in
dealing with cybercrime, cyberterrorism, industrial espionage and
general network-based attacks.
Once we learn about new hacking trends or tools, this
information can be relayed back to suppliers so that new defences
can be developed.
It wasn’t too long ago that we didn’t know about
denial-of-service attacks, however, now there are many suppliers
that develop and sell anti denial of service devices.
Who knows what the next big security issue will be? But let’s
catch it, before it catches us!
Are honeypots effective in combatting
cyberattacks? Tell us in an e-mail >> ComputerWeekly.com
reserves the right to edit and publish answers on the website.
Please state if your answer is not for publication.
Tareque Choudhury MSc CISSP senior network
security specialist for CyberGuard Europe is speaking in a seminar
on “Honeypots: The Trap is Set” at Infosecurity Europe, Olympia 29
April – 1 Maywww.infosec.co.uk