RE: Honeypot Defintion - over thinking it.

[Jon Price <jon () nytimes com>]

At 10:01 PM 5/25/2003 -0700, Kohlenberg, Toby wrote:
> While it's a good attempt, I think you've over-constrained/over-defined 
> the term. Consider-
> the purpose of a honeypot might have nothing to do with learning about 
> hacking techniques and thereby improving
> security.

Yes, I see your point.

> For instance, you might set one up as a trap to find internal attackers.
>
> Also, as with many art forms, I think that in giving a definition, you 
> want to remove anything that isn't essential. Hence
> the comment about a honeypot usually being a dedicated computer should be 
> removed. It might be accurate, but it doesn't
> add anything essential to the definition.

I agree.

>  In addition, I think we can and should remove the term "system" from the 
> first sentance.

right.

> Perhaps:
> A honeypot is a security tool, consisting of a system or dataset for which 
> there is no legitimate reason for anyone to
> interact with and therefore _all_ use can be considered unauthorized. The 
> system or dataset is usually configured to easily allow
> attackers to access it in order to entice them.

Sounds good to me.


> That captures the key points I've heard so far:
> You want attackers to go to honeypots.
> and
> No one has a legitimate reason for being on a honeypot.

right, those are the key points.

> But it doesn't add any constraints about what else you might do with a 
> honeypot. I think the last sentance is awkward, any suggestions
> on rephrasing it?

I like the term "entice".


> toby
>
>
> -----Original Message-----
> From: Jon Price [mailto:jon () nytimes com]
> Sent: Sunday, May 25, 2003 6:43 PM
> To: Kohlenberg, Toby; cta () hcsin net; honeypots () securityfocus com
> Cc: Lance Spitzner
> Subject: RE: Honeypot Defintion - over thinking it.
> another try.  I'm trying to incorporate Toby's point about how a honeypot 
> is different from other computers on the network.
>
> A honeypot is a system security tool, usually a dedicated computer, which 
> purposely allows intruders to enter so that - unbeknownst to them - their 
> hacking techniques and the system vulnerabilities they exploit can be 
> learned about and used to improve system security.
>
> Jon
>
>
>
>
>
> At 04:47 PM 5/25/2003 -0700, Kohlenberg, Toby wrote:
> > I've seen a number of interesting suggestions and lots of good thoughts
> > but
> > I keep seeing definitions that seem overly complex.
> > Here's my reasoning- you can use a honeypot for lots of things-
> > research, intrusion
> > detection, entertainment (the honeypot drinking game? every time your
> > attacker tries
> > a DOS command on a unix system you have to drink! ), whatever. The
> > question isn't what
> > you're using it for. The question is, how is a honeypot different from
> > any other system
> > on the network? For instance, the definition that has been offered up
> > recently:
> > "A honeypot is an information system resource who's value lies in
> > monitoring
> > unauthorized or illicit use of that resource"
> > is a good start but it doesn't get to the heart of the matter. Any
> > system may
> > have value in monitoring it for unauthorized or illicit activity.
> >
> > The key distinction about a honeypot is that there is _no_ legitimate
> > reason for someone
> > to be on it. Therefore, I submit this definition:
> >
> > "A honeypot is a system or dataset for which there is no legitimate
> > reason for someone
> > to interact with it and therefore _all_ use can be considered
> > unauthorized."
> >
> > I think it really is that simple. What do y'all think?
> >
> > toby
> >
> > > -----Original Message-----
> > > From: Bernie, CTA [mailto:cta () hcsin net]
> > > Sent: Saturday, May 24, 2003 7:33 AM
> > > To: honeypots () securityfocus com
> > > Cc: Lance Spitzner
> > > Subject: Re: Honeypot Defintion - Almost There, or a new path?
> > >
> > >
> > >
> > > I feel Marc's perspective has merit.
> > >
> > > After pondering the definitions presented thus far, and while
> > > considering a simple technical definition of a Computer, i.e., "A
> > > device that receives, stores, processes, and presents data in
> > > response to commands", I suggest this definition:
> > >
> > > Honeypot:
> > > "An automated computer system for detecting erroneous,
> > > unauthorized or illicit use of system resources."
> > >
> > > As an old embedded system engineer, I decided to include
> > > the word "automated" as to infer the implicit use of 5 basic
> > > functions of automation:
> > > 1. Collection of Information
> > >
> > > 2. Communication of Information (man-machine, machine-
> > > machine)
> > >
> > > 3. Computation of Information  (data logging and data
> > > processing)
> > >
> > > 4. Control of Operations (both human and machine)
> > >
> > > 5. The logical coordination among the preceding four functions
> > >
> > > I use the word "detecting" to move away from the user
> > > application and *legal* usage, which may include "monitoring".
> > >
> > > I included the word "erroneous" to express that honeypots
> > > may also detect incidents which are not specifically
> > > unauthorized or illicit. For example, we deploy a honeypot as
> > > a security safeguard - When a legitimat User attempts to login
> > > to their website. However, after failing to correctly enter their
> > > password more than X times, the User triggers the security
> > > safeguard and is automatically redirected to the honeypot to
> > > detect if the incident is an erroneous action, unauthorized or
> > > illicit.
> > >
> > > I have used honeypots in this topology for some time and have
> > > foud the resource significantly beneficial in design, debug and
> > > enhancement of a systems functional utility as well as the
> > > user interface of web-based applications.
> > >
> > >
> > > Thoughts?
> > >
> > >
> > > On 23 May 2003, at 17:05, Marc Dacier wrote:
> > > >
> > > > Based on this "usage", is this "information system resource" a
> > > > honeypot ? I would tend to say yes but your definition leads me
> > > > to believe that you would say no.
> > > >
> > > > Can't we come up with a definition that does not take the usage
> > > > into account at all ?
> > > >
> > > > >Since this is the preferred option of the two, this is
> > > > >what we will go with.
> > > >
> > > > Mmmmm ... the least worst of the two 'definitions' does not
> > > > make a good one :-)
> > > >
> > > > Reactions, remarks ?
> > > >
> > > > Cheers,
> > > > Marc
> > > >
> > >
> > > On 23 May 2003, at 9:30, Lance Spitzner wrote:
> > >
> > > <snip>
> > >
> > >  "A honeypot is an information system resource who's
> > >     value lies in monitoring unauthorized or illicit use
> > >     of that resource"
> > >
> > >
> > >    "A honeypot is an information system resource who's
> > >     value lies in unauthorized or illicit use of that
> > >     resource"
> > >
> > > <snip>
> > >
> > > -
> > >
> > > -
> > > ****************************************************
> > > Bernie
> > > Chief Technology Architect
> > > Chief Security Officer
> > > cta () hcsin net
> > > Euclidean Systems, Inc.
> > > *******************************************************
> > > // "There is no expedient to which a man will not go
> > > //    to avoid the pure labor of honest thinking."
> > > //     Honest thought, the real business capital.
> > > //      Observe> Think> Plan> Think> Do> Think>
> > > *******************************************************
> > >