A few years ago I did my masters dissertation on honeypots. At that time it was a fascinating subject where the age of information security was starting to be discussed in the boardroom, in the datacentre and at home.
Hackers were making a name for themselves by breaking into high-profile systems. However, script kiddies were also making a name for themselves by using automated techniques that required very little technical skill in order to gain access to unauthorised systems. The questions organisations needed to answer were why and how were hackers operating?
A man by the name of Lance Spitzner came up with a concept that developed into research, spawning ideas and activities for many IT students and professionals. The concept of honeynets is quite simple yet exciting. Honeynets are systems that allow hackers to break in to what they think are genuine systems.
The systems are carefully set up to log and monitor what the hacker is doing without letting them know they are being watched.
This allows the researcher to gain a better understanding of the techniques used to break into systems, and also hopefully allows them to better understand the hacker’s motivation. Honeynets have grown tremendously in popularity within the security community, and so have the tools that have been developed in order to assist in this type of research.
The Honeynet Project based in the US was the founding organisation to push this research, and over the years other groups have cropped up, adding to the weight of this research. Today there is a bootable CD-Rom named “honeywall” that enables you to create your own honeynet environment – you can’t get much easier then that. There are also advanced data capture tools that assist in analysing the data captured, because without understanding the data captured the honeynet research would be useless.
Honeynet research has determined that IRC (internet relay chat) is still being used as a form of communication for the hacker community. It has also been noticed that it is taking much longer for a system to become compromised.
This may prove two things: that standard system builds are slowly becoming more secure, or that script kiddies are becoming less common and organised malicious activity is becoming the norm.
Many security suppliers use honeynets in order to gain a better understanding of the threats that are prevalent. For example, a supplier who creates an anti-spam product will typically set up systems to detect spam methods so that they can create defences for their product. This in turn benefits the organisations they sell into.
Similar techniques are used for developing new defences against phishing and spyware. Honeynets also allow us to observe how sophisticated new blended hacking techniques are developed, combining spam, phishing, pharming, spyware and social engineering techniques to exploit corporate systems.
One can benefit from this research by learning what the hackers’ tools, techniques and motives are. Today these types of users range from teenagers looking for a thrill, to organised criminals interested in profit.
If you are interested in honeynets or want to begin looking into doing your own research, you can join the Honeypot Security Focus mailing list or you can visit The UK Honeynet Project.
Tareque Choudhury is a member of the UK Honeynet Project and is speaking on “Honeynets – how they have evolved” in the seminar programme at Infosecurity Europe
This was first published in April 2006