Instead of putting out bait to encourage people to have a go at fragile systems what about hardening the stuff you've got or put it in segments behind stuff you can harden? Putting out fragile honeypots can lead to wasting time on the merely curious who are no real threat to systems that are not fragile.
Yes - bait on an internal network to catch people who see the "shiny" and act. The question to ask before deploying such things is to ask yourself (or you boss) what your job actually is. Is it to catch a number of people and meet some sort of "arrest quota" or is it to actually protect things? If it's the former then putting up fragile things to attract the attention of the weak willed may be a go, but if it's the latter you may well just be wasting time while the serious threats are getting into your serious systems. They could be getting in while you are distracted playing this game.
IMHO you are better off having better monitoring on the serious systems on a properly segmented network and watching that instead of scattering toys about and looking to see who they distract.
Honeypots are a cool research tool for seeing what people out on the net are trying to do, but as a security measure on internal networks? Sounds more like buzzword overload than anything useful in that situation unless you want some heads on pikes of the entrapped to scare people.
If I'd pulled this shit and enforced some sort of penalty I'd probably be down three or four decent developers because they decided to take a bit of a look around the local network when they first started. Those are just the ones that did really obvious portscans from their own desktop computers so there may have been more.
The aim of honeypots in this scenario isn't to bait out people but software. The first thing that a targeted piece of malware is likely to do is find other systems to infect and map out the internal network. If a computer in the accounts department is suddenly firing off CIFS requests at your honeypot it is an anomaly that should be investigated. It's much easier to find dodgy traffic if there isn't supposed to be any rather than looking for it in the corporate network as a whole.
If it turns out it was a bored intern browsing the local network then the situation can be explained. If it was an opened dodgy e-mail or other attack vector then the machine can be wiped and connection logs gathered so that a clean-up operation can be attempted.
Let's consider the last piece of malware I dealt with. It searched the network for shared storage and did nasty things on the storage. The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible. The honeypot storage, on the other hand, gets NO legitimate traffic. Any traffic to the honeypot is worth investigation. That makes it a much more reliable way to find malware or ot
I should emphasize strange traffic being investigated doesn't mean anyone gets in trouble. The head of security cut off my network port once when he detected something weird. I explained what I was doing. He pointed out a security concern, and we agreed to a compromise configuration we could both live with.
Do you have any idea how much traffic a corporate mail server can get?
If your network is too large to comprehend then apply an engineering solution instead of a basket weaving solution and handle things in managable chunks. Since IT folk like to pretend they are engineers (which was to my benefit when I changed careers from engineering a couple of decades back) why not act like them? Suspicious stuff coming in or out of segments is one way of tracking, does that really compare with hoping something random
I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot. I can see now why you grasp at straws such as honeypots and hope the malware is so badly written that they randomly get attacked before your real systems instead of the malware taking a look at what the machine it is on has connected to in the past. After they do
> I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus > updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot.
Yep, welcome to office networking. In a government office, throw in a few DOS terminals and other systems that haven't seen a security update since 1982.
Once again - network monitoring. If something starts sniffing around your machines that only get specific traffic from specific hosts on specific ports that rings alarm bells better than letting some fragile thing get owned and be used for who knows what before you can respond.
"Most of us, when all is said and done, like what we like and make up reasons
for it afterwards."
-- Soren F. Petersen
Entrapment is so much fun is it? (Score:2)
Re: (Score:3)
The article specifically talks about using it on an internal network.
Need to think about why it is being done (Score:2)
The question to ask before deploying such things is to ask yourself (or you boss) what your job actually is. Is it to catch a number of people and meet some sort of "arrest quota" or is it to actually protect things? If it's the former then putting up fragile things to attract the attention of the weak willed may be a go, but if it's the latter you may well just be wasting time while the serious threats are getting into your serious systems. They could be getting in while you are distracted playing this game.
IMHO you are better off having better monitoring on the serious systems on a properly segmented network and watching that instead of scattering toys about and looking to see who they distract.
Honeypots are a cool research tool for seeing what people out on the net are trying to do, but as a security measure on internal networks? Sounds more like buzzword overload than anything useful in that situation unless you want some heads on pikes of the entrapped to scare people.
If I'd pulled this shit and enforced some sort of penalty I'd probably be down three or four decent developers because they decided to take a bit of a look around the local network when they first started. Those are just the ones that did really obvious portscans from their own desktop computers so there may have been more.
Re:Need to think about why it is being done (Score:5, Interesting)
The aim of honeypots in this scenario isn't to bait out people but software. The first thing that a targeted piece of malware is likely to do is find other systems to infect and map out the internal network. If a computer in the accounts department is suddenly firing off CIFS requests at your honeypot it is an anomaly that should be investigated. It's much easier to find dodgy traffic if there isn't supposed to be any rather than looking for it in the corporate network as a whole.
If it turns out it was a bored intern browsing the local network then the situation can be explained. If it was an opened dodgy e-mail or other attack vector then the machine can be wiped and connection logs gathered so that a clean-up operation can be attempted.
Re: (Score:2)
real storage, active directory servers get legit t (Score:3)
Let's consider the last piece of malware I dealt with. It searched the network for shared storage and did nasty things on the storage. The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible. The honeypot storage, on the other hand, gets NO legitimate traffic. Any traffic to the honeypot is worth investigation. That makes it a much more reliable way to find malware or ot
ps My office has been investigated != fired (Score:2)
I should emphasize strange traffic being investigated doesn't mean anyone gets in trouble. The head of security cut off my network port once when he detected something weird. I explained what I was doing. He pointed out a security concern, and we agreed to a compromise configuration we could both live with.
Re: (Score:3)
If your network is too large to comprehend then apply an engineering solution instead of a basket weaving solution and handle things in managable chunks. Since IT folk like to pretend they are engineers (which was to my benefit when I changed careers from engineering a couple of decades back) why not act like them? Suspicious stuff coming in or out of segments is one way of tracking, does that really compare with hoping something random
Oh yes, Windows Malware swamp - I get it now (Score:2)
I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot. I can see now why you grasp at straws such as honeypots and hope the malware is so badly written that they randomly get attacked before your real systems instead of the malware taking a look at what the machine it is on has connected to in the past.
After they do
yep, welcome $large_organization networking (Score:2)
> > active directory
> I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus
> updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot.
Yep, welcome to office networking. In a government office, throw in a few DOS terminals and other systems that haven't seen a security update since 1982.
Re: (Score:2)
Re: (Score:2)