Hello,

Four separate concerns arise in wishing (or having) an attacker
find your honeypot *after* he (or she) has pillaged the rest of your
systems:

1.) Do you really want this unwanted "guest" around any longer?
Although the opportunity to learn is there, the hours going in
to track the activities might be prohibitive over getting the
compromised systems returned to a functional and secured state.

2.) Can you keep the attacker interested in only the honeypot?
While you begin to investigate and repair your other systems,
you might potentially raise suspicion when the attacker can't
get back into other systems that have been rooted. Or, the attacker
might notice the cleanup effort around him and leave quickly, thus
quashing your intention of successfully learning from him.

3.) Could this cascade into a different attacker coming into your
network for a visit when it becomes known how vulnerable your
systems are? Is the attacker going to invite friends? Maybe not,
but what if you get two visitors at once? How do you react?

4.) If organizations know a hacker is inside, but don't know the
extent of his damage, how can one be certain they've only got a single
hacker versus a few hackers? And can one accurately map the damage
by using honeypots? Maybe. Maybe not. This is where other tools
are helpful, like Tripwire, IDS, remote-logging, watchful Admins, etc...

A honeypot is probably not a good diagnostic tool to use for attacks
on other systems.

My general thoughts are this:

"If they find a honeypot, great. Let's learn by watching that. If they
are in any other system but our honeypot, get them out - quickly."

I wouldn't want to appear complacent or non-reactive to an attack
in a system other than a honeypot. I would want the attacker to
realize that we are aware of his presence, and it is unwelcome.

Just my $0.02.

Regards,
-Matt.

-----Begin Original Message-----
From: Lance Spitzner [mailto:lancehoneynet.org]
Sent: Wednesday, September 18, 2002 10:40 PM
To: honeypotssecurityfocus.com
Subject: Incident Response - smoking attackers out

I was chatting with a fellow honeypot geek, he had an interesting
point of view on honeypots I wanted to bounce of you folks,
specifically, using honepyots for incident response. The concept
being, there are times when organizations, especially large ones,
know they have been broken into and know the attacker is still
inside, but do not know who the attacker is or what damage they
are doing. Potentially, honeypots could be deployed internally
to capture the attackers activity, identify the damage they
have done, and even be used to identify the attacker himself.

I was really intrigued about this idea, thoughts about using
honeypots for incident response?
----- End Original Message-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]