OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Cracked; rootkit - entrapment question?
From: Chuck Phillips (cdpPEAKPEAK.COM)
Date: Sat Mar 04 2000 - 04:43:32 CST

Jason Lewis writes:
> Why go through all the time and effort to create a honeypot. Why don't
> you concentrate on securing the systems they have and putting up some
> kind of firewall. Are you getting paid to exact revenge for someone
> exploiting a lack of security?

I can't speak for the original poster, but there are other reasons for
constructing a honeypot.

1. Understanding what kinds of attacks are being launched in general by
   direct observation. This can provide a great education.

2. Knowing what kinds of attacks, how often, etc., are being attempted on
   your own network specifically. This can be a great adjunct to your IDS.

3. Diverting attention away from more important machines in the short term.
   In the long term, this can backfire. After all, where there's one
   interesting machine, there may be others. Still, by observing the
   cracker, it may help in identifying the best steps to take in protecting
   the rest of your hosts -- *before* they are attacked.

> I may be naive, but it seems like calling in the FBI is like trying to
> kill a housefly with an Elephant gun.

If no serious harm is done, and I do consider DoS as one form of harm, then
calling the authorities is probably a waste of your time and theirs. Just
log it for future reference and move on. Persistent attacks are another
form of harm because they continually divert resources away from other
tasks. If that darn script kiddie just won't go away or starts to escalate
attacks as you lock things down, it's time to do something about it.
Sooner or later, that kiddie is going to do someone serious harm even if it
isn't to you.

        Just MHO,
                Chuck