Honeypots mailing list archives

Re: Heisenberg in the honeypot

From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 21 Jun 2004 07:15:47 -0700 (PDT)

Robert,

An astute observation. A more proper (closer)
analogy than the HUP is 
the Criminal Forensics Sciences principle that
states, essentially, 
investigating a crime scene contaminates the crime
scene.


I believe you're referring to Locard's Exchange
Principle.  Would this be correct?

Even so, I don't think that given what I'm trying to
get at, Locard's is more correct.  Essentially, what
I'm asking is, if the really, really bad guys (ie,
collectively referred to as the mysterious and
ethereal "underground" or "blackhats") know that
someone's watching, would they be inclined to use
their latest and greatest techniques, knowing that
doing so would leave evidence on a (properly set up,
monitored, and managed) honeypot that could be used to
identify that technique, and potentially warn others,
allowing them to protect their systems?

Starting from the moment of discovery 
of the crime, each action taken during the
investigation disturbs the evidence somewhat


I could see very well how Locard's would apply toward
incident response investigations...a supposedly
compromised system is approached by a first responder
or investigator.

HUP is an example of a broader "law" which manifests
itself in various manners across all reality.


Exactly.

Each attack will be tailored to the particular
system under attack 
according to the characteristics of the system under
attack.


True, but that can't be done until the particular
system is identified...either a priori, or though OS
fingerprinting or header/banner analysis.  Some sort
of a priori knowledge of the system(s) can be obtained
through asking, disgruntled employees, DNS zone
transfers, etc...all w/o out sending packets to the
system itself.  

But that's where we get off topic, I'm afraid.  My
original question still applies...if an attacker has a
new technique or exploit, how likely is he/she to use
it knowing that honeypots are in use?  

Thanks for the response,

Harlan

Current thread:

Heisenberg in the honeypot H Carvey (Jun 19)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 21)
    - Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
  - Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Minefields Lance Spitzner (Jun 22)
    - Re: Minefields MrDemeanour (Jun 23)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
  - RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot James Riden (Jun 22)
    - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)

(Thread continues...)