Why Honeypots Are Sweet

Honeypots may not be practical for the enterprise, but you can still learn a lot from them

3:10 PM -- The Honeynet Project is responsible for some of the best security research in its "Know Your Enemy" (KYE) series of papers and several books. This summer was busy for the organization, with Niels Provos and Thorsten Holz publishing a book, Virtual Honeypots: From Botnet Tracking to Intrusion Detection, and several members of the German and New Zealand Honeynet Projects releasing the KYE: Malicious Web Servers paper. (See Sweetening the Honeypot.)

Provo and Holz's book is an excellent introduction to honeypots and honeynets and includes detailed information on Honeyd (a low-interaction honeypot) and about virtualizing honeypots for those who are already well-versed on honeynet technology. After a few chapters defining the terminology, the book dives into how to use and customize Honeyd, using honeypots to collect malware -- and even how to detect honeypots. (I'm now halfway through the book myself, and highly recommend it.)

True, honeypots are impractical for most enterprise settings. But don't discount these tools and techniques: The Honeynet Project's malicious Web servers paper, for instance, focuses on client-side attacks targeting Web browser flaws and overzealous link-clicking users. And if you're in enterprise IT security, you know the security battleground has moved from network-based attacks targeting things like SMB and RPC vulnerabilities, to client vulnerabilities and user ignorance.

Any organization can become the target of malicious attackers looking for a Web server to host their malware. Forum, image gallery, and blogging software are common vectors of attack, and if you're responsible for any of those, then client honeypots like Capture and HoneyC might be something to consider deploying. They vary in level of sophistication, but they basically traverse your Website looking for malicious content based on signatures -- or file, registry, and process changes that occur after visiting a Web page. This helps with those that are changing frequently due to development or user modifications.

So check out the resources available at the Honeynet Project's Website. You don't have to deploy a honeypot, but learning more about the technology could give you a bit of knowledge needed to prevent the next attack.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5