Internet Honeypots: Protection or Entrapment?: Brian Scottberg William Yurcik David Doss
1. Introduction
For the following reasons, good data is needed about Internet attacks:
Real threat data is needed to design good security products. Trend data may help predict what Internet attacks will come next so protections can be prepared now.
Unfortunately, there is little if any good data about Internet attacks most is anecdotal. Good data is hard to find because of the low detection rate of Internet attacks and the quality of data disclosed by organizations of detected Internet attacks is poor. This lack of information makes it difficult to design good security products and processes [10]. The Computer Security Institute (CSI) has conducted annual computer crime surveys coordinated with the FBI. In 2001, 64% of IT security executives at large corporations and government agencies acknowledged financial losses attributable to security breaches [9]. The CSI/FBI survey is not statistically generalizeable, however, due to the small sample size (538 respondents), self-selected survey pool, and lack of response validation. The Honeynet Project measures actual computer attacks on the Internet [5,6]. According to their most recent results, a random computer is scanned dozens of
The rest of this paper is organized as follows: Section 2 describes the two primary ways honeypots are used and Section 3 presents different honeypot deployment strategies that have developed. Section 4 categorizes available honeypot systems. Section 5 discusses the larger societal ramifications of using honeypots to provide security. We close with a summary and conclusions in Section 6.
There are polarized views on the effectiveness of different Honeypot deployments. Table 1 shows a variety of established deployments of honeypots. Table 1. Honeypot Deployment Strategies Strategy Sacrificial Lamb
Deception Ports on Production Systems
an isolated system that has no entry point to any production systems simulated honeypot services substituted for well-known services (www, smpt/pop, dns, ftp) deploy honeypot decoys in close proximity to production hosts (same logical subnet) by using port redirection on an upstream router or firewall, you can make it appear that honeypot services are on a production system Honeypots (in quantity) placed in forefront to serve as first attack targets to any scans. an entire subnet of honeypots with varied platforms, services, vulnerabilities, and configurations; called a zoo because attackers are in cages resembling their natural habitat.
3. Deployment Strategies
The core characteristics of a honeypot are: [7] superficial facade (platform, OS) appears real service behavior (responses, traffic, files) appears real partially disabled to prevent use at an attack launch pad if compromised does not have any channels to production computers or networks trips various levels of alarms when any activity is encountered [11] maintains detailed log information of all activity.
Honeypots can be deployed in two broad categories: production or research. The purpose of a production honeypot is risk mitigation. In this deployment, honeypots are often used as reconnaissance or deterrence tools within a specific organization. The deployment of honeypots for research does not add direct value to a specific organization but does gather intelligence for entire communities and indirect benefits include improved attack prevention, detection, and reaction.
Advocates argue that a honeypot can be an effective deterrent. Honeypots are also used as early warning systems that log and alert about hostile activity before production systems are targeted. Honeypots can sidetrack attackers efforts, causing them to devote attention to activities that cause neither harm nor loss. Most importantly, tracking an intruder in a honeypot reveals invaluable insights into attacker techniques and ultimately motives so that production systems can be better protected. You may learn of vulnerabilities before they are exploited. Ultimately, honeypot observation may provide a predictive capability of what production targets are vulnerable, when they may be attacked, and what techniques will be used. Detractors argue that honeypots placate attackers by giving them what they want a system to break into, place Trojan horses, destroy file systems. Intruders may come to know honeypots for what they are such that they become ineffective tools for finding and controlling the devoted outside attacker. The strongest negative of honeypots is the level of effort to deploy, maintain, and actively monitor. Detractors say this level of effort may be better spent protecting the production systems. Lastly, detractors emphasize that blocking outbound traffic is essential or a honeypot could become a platform for other attacks. Logging information from a honeypot is problematic. Logging directly on the honeypot itself is vulnerable if it is compromised (logs can be altered or erased). For this
reason, it is recommended a bogus log configuration file be kept on the honeypot while actual logging should be sent to a dedicated server using encryption to mask the activity although there is the potential for detection. There is a fundamental limitation of honeypots that is similar to signature-based network intrusion detection systems the honeypot must know of a vulnerability in advance to properly simulate it. If an attack is new or unknown, the honeypot will be revealed by its inappropriate responses. This is why honeypot advocates recommend using the sacrificial lamb strategy of real dedicated machines if at all possible. Honeypots can be very useful as part of a comprehensive security program. The level of effort to deploy and manage is secondary to the time and resources not only to monitor but also to act quickly on events. For organizations with limited resources, the next section describes available honeypot systems that are easily configurable.
simulates a BackOrifice Server, listens for BackOrifice (Windows Trojan Program) and responds appropriately while logging various services. simulates an entire network segment of routers/hosts on a single system, can mimic multiple OSs, responds appropriately to attacker requests for specific services & logs activity listens to service requests on ports normally blocked & provides responses to attacker requests while logging activity simulates CiscoIOS, Unix, & Windows (with different versions of the same service) services to mimic the real services, can simulate an entire Class C network of hosts running network services runs a real complete Unix-Solaris OS in a jail configuration with no emulation, provides deception hosts with unique/revisable data dedicated PC simulates multiple OSs and multiple services, variable levels of security honeypot OS executing virtually within a HostOS
CyberCop Sting
Network Assoc./PGP
4. Honeypot Systems
Although the concept of a honeypot system is not new, the availability of commercial honeypot systems is new. Table 2 shows a representative sample of currently available honeypot systems. Commercial-grade honeypots are relatively new. Freeware honeypots have been used for some time but in a business situation commercial products dominate. Although commercial honeypots are simpler than building a specialized honeypot from scratch using open source freeware, they do not eliminate the need for expertise in monitoring. For example, commercial honeypots send alerts to an operator that an event has occurred, however, a skilled analyst with attack knowledge is needed to correlate supporting data (packet traces, firewall/intrusion detection logs) to analyze, identify, and contain the attack. Table 2 shows two primary types of honeypots: (1) hardware-based servers, switches, or routers that have been partially disabled and made attractive with commonly known misconfigurations and (2) software simulation honeypots which are deception programs that emulate system software (OS) and services.
Recourse Technologies
(multiple OSs)
5. Societal Issues
There is no legal precedent yet established in regard to honeypots. The issue of entrapment is relevant if an attacker is intentionally lured to a honeypot, there must be no tacit permission to access the system banners should be carefully stated and identical on both the production and honeypot systems. Even with careful honeypot deployments, luring intruders to a network is dangerous because they may instead attack the production servers while avoiding the honeypots. An entrapment legal defense may nullify the prosecution of attackers by law enforcement agencies. If you are not a law enforcement officer you cannot entrap. The primary rationale for the concept of entrapment is to
mitigate the possibility that an otherwise law-abiding citizen could be encouraged to engage in illegal conduct. Entrapment is the conception and planning of an offense by an officer, and his procurement of its commission by one who would not have perpetrated it except for the trickery, persuasion, or fraud of the officers. [The accepted standard legal definition of entrapment as stated by Justice Roberts in 1932 in Sorrells vs. United States] In law enforcement sting operations, police engage in encouragement activity. The key to establishing entrapment is predisposition would the attacker have committed the crime without encouragement activity (beyond a reasonable doubt). Affording the means for somebody to commit a crime is not the same thing as encouraging the crime [2]. The legal definition of entrapment does not apply to non-law enforcement organizations so honeypot operators cannot be prosecuted. There is even a question of encouragement activity for law enforcement agencies since attackers scan, target, and intrude upon honeypots on their own initiative. Viewing files and intercepting communication (chat or Email) on a honeypot is relevant to privacy laws. The intruder files are not protected since there is no legitimate account or privileges. While there is case law about the loss of the right of privacy in storing files on a stolen computer or files on a compromised computer without owners authorization, there is little or no case law on interception of communications relayed through a compromised computer [5]. Honeypots do not provide public accounts for communications and they are not service providers, thus they are not bound by common carrier legislation. In the US, the two main laws are the Electronic Communication Privacy Act (18 USC 270111) and the Wiretap Statute (Title III, 18 USC 2510-22). When implementing honeypots in other countries, privacy laws will be different so it would be prudent to review all legal issues with legal counsel before proceeding [5]. If the honeypot is compromised in such a way that it allows outbound traffic, it may be used as a platform to attack other systems. In this case, the owner of the honeypot may be liable for lacking in due diligence of corporate assets. In a worse case scenario such a situation may even be considered gross negligence because of a hazard that was deliberately set up and not properly supervised. To lure activity, the honeypot must be made attractive to potential attackers and this has motivated the creation of false data for honeypots. Consider the ramifications of
planting false data on honeypots. An intruder may make the false data publicly available typically this may be done at cracker websites or chat rooms but could be a news media outlet. The false data planted on the honeypot could have unintended consequences such as affecting an organizations stock price or reputation (or both).
6. Conclusions
Honeypots are an interesting sociological and technical experiment. Honeypots have already confirmed what we already suspected systems connected to the Internet are under constant attack. The use of honeypots will continue to grow in the near term and as future attacks use more advanced spoofing techniques to make them difficult to trace, the role of honeypots is likely to become more important. With all national critical infrastructures dependent upon underlying computer systems, honeypots appear to be an attractive homeland defense tool - attacks can be detected early at strategically deployed honeypots and then analyzed quickly for warning and protective action. As the Chinese warrior and philosopher, Sun Tzu, stated 2000 years ago All warfare is based on deception. The current poor state of security on the Internet, the increasing level of Internet attacks, and the threat of terrorist action has created an environment we would characterize as a unconventional information war where the role of deception is very relevant [4]. This war is asymmetric with the attacker at a distinct advantage a defender of computer systems must secure all vulnerabilities within their multiple interconnected systems or a single vulnerability may compromise all systems while an attacker must only find a single exposed vulnerability to exploit in any of multiple interconnected systems. Alone, Honeypots are vulnerable themselves but as an important part a comprehensive strategy that can confuse, deter, and trap attackers. The sociological and legal issues behind the use of honeypots in cyberspace presents new challenges that do not have direct precedents in the physical world.
7. References
