Understanding how a hacker works and knowing the tools they use is key to preventing our systems getting attacked. Using honeypots could be the answer, says Tareque Choudhury.
Malicious blackhat hackers are using our networks as tools. Tools to commit crime. They jump from system to system using innocent victims as their vehicle to attack and deny vital services.
In order for security professionals to better defend themselves against these types of users, we must understand what they do and how they do it. This is where honeypots are used.
Lance Spitzner, founder of the Honeynet Project, defines the term honeypot as, a resource whose value is being attacked or compromised.
This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything, but the do provide us with additional, valuable information.
A honeypot is a basic system tweaked in order to capture attack information. For example a RedHat machine configured as a web server, tweaked to send its logs discreetly to a remote system for later analysis.
A honeypot (or honeynet if it involves more than one honeypot) is created within a simple network and has three levels of logging which has to be implemented firewall, intrusion dectection system and system logs.
An IDS should be used to monitor the network traffic so that the data stream can be logged for network analysis.
A firewall should also be implemented, not to protect the honeypot itself, but to protect third-party hosts from attacks from the honeypot.
If the honeypot were to get compromised then one would not want it to be used as a host to attack other hosts on the internet. What the firewall also provides is the first level of logging. All packets must enter the honeypot via the firewall so logging should be implemented on this device.
Honeypots provide the security professional with knowledge about security issues such as new trends, tools and exploits.
Most professionals can relay information that a system has been broken into or a security incident has occurred, but not many can fully comprehend what has happened and how it has happened - which is fundamentally important. This is where honeypots play a vital role as they provide a wealth of information.
The key to building a good and successful honeypot is to make sure that the data collected is protected and not lost. Without the captured data, there will be nothing learnt and therefore no knowledge is gained.
All logs should be sent remotely as discreetly as possible - this includes the firewall and IDS logs. The logging server should be on a separate network behind another firewall so that it can be protected. A good hacker will soon determine that logs are being sent remotely, and will try and attack the logging server so he or she can destroy any evidence.
Information technology is vital in today’s society. It assists in running our healthcare systems, higher education and government, among other things.
These sectors spend huge amounts of money in research to help develop technology that is vital to their progress. For example, the medical field invests in teams of researchers to study new diseases, so that new defences can be developed.
As such, honeypots are a great research tool in the security field. I believe that funding needs to be put aside for this type of research so that we can better equip ourselves as a society in dealing with cybercrime, cyberterrorism, industrial espionage and general network-based attacks.
Once we learn about new hacking trends or tools, this information can be relayed back to suppliers so that new defences can be developed.
It wasn’t too long ago that we didn’t know about denial-of-service attacks, however, now there are many suppliers that develop and sell anti denial of service devices.
Who knows what the next big security issue will be? But let’s catch it, before it catches us!
Are honeypots effective in combatting cyberattacks? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Tareque Choudhury MSc CISSP senior network security specialist for CyberGuard Europe is speaking in a seminar on “Honeypots: The Trap is Set” at Infosecurity Europe, Olympia 29 April – 1 May www.infosec.co.uk
This was first published in April 2003