A few years ago I did my masters dissertation on
honeypots. At that time it was a fascinating subject where the age
of information security was starting to be discussed in the
boardroom, in the datacentre and at home.
Hackers were making a name for themselves by breaking into
high-profile systems. However, script kiddies were also making a
name for themselves by using automated techniques that required
very little technical skill in order to gain access to unauthorised
systems. The questions organisations needed to answer were why and
how were hackers operating?
A man by the name of Lance Spitzner came up with a concept that
developed into research, spawning ideas and activities for many IT
students and professionals. The concept of honeynets is quite
simple yet exciting. Honeynets are systems that allow hackers to
break in to what they think are genuine systems.
The systems are carefully set up to log and monitor what the
hacker is doing without letting them know they are being
watched.
This allows the researcher to gain a better understanding of the
techniques used to break into systems, and also hopefully allows
them to better understand the hacker’s motivation. Honeynets have
grown tremendously in popularity within the security community, and
so have the tools that have been developed in order to assist in
this type of research.
The Honeynet Project based in the US was the founding
organisation to push this research, and over the years other groups
have cropped up, adding to the weight of this research. Today there
is a bootable CD-Rom named “honeywall” that enables you to create
your own honeynet environment – you can’t get much easier then
that. There are also advanced data capture tools that assist in
analysing the data captured, because without understanding the data
captured the honeynet research would be useless.
Honeynet research has determined that IRC (internet relay chat)
is still being used as a form of communication for the hacker
community. It has also been noticed that it is taking much longer
for a system to become compromised.
This may prove two things: that standard system builds are
slowly becoming more secure, or that script kiddies are becoming
less common and organised malicious activity is becoming the
norm.
Many security suppliers use honeynets in order to gain a better
understanding of the threats that are prevalent. For example, a
supplier who creates an anti-spam product will typically set up
systems to detect spam methods so that they can create defences for
their product. This in turn benefits the organisations they sell
into.
Similar techniques are used for developing new defences against
phishing and spyware. Honeynets also allow us to observe how
sophisticated new blended hacking techniques are developed,
combining spam, phishing, pharming, spyware and social engineering
techniques to exploit corporate systems.
One can benefit from this research by learning what the hackers’
tools, techniques and motives are. Today these types of users range
from teenagers looking for a thrill, to organised criminals
interested in profit.
If you are interested in honeynets or want to begin looking into
doing your own research, you can join the Honeypot Security Focus
mailing list or you can visit The UK Honeynet Project.
www.ukhoneynet.org
Tareque Choudhury is a member of the UK Honeynet Project and
is speaking on “Honeynets – how they have evolved” in the seminar
programme at Infosecurity Europe