Minefields

[Lance Spitzner <lance () honeynet org>]

> The important question is not "are honeypots in use" but "is *this*
> *particular* system that I'm considering as the next machine to probe 
> in fact
> likely to be a honeypot?".  I don't *care* if the site has 2,000 
> honeypots scattered
> world-wide.  I only care "Is this box labelled www3.target-site.com 
> likely to be
> a real webserver, or a honeypot?"
>
> You can know that the enemy uses land mines, but still feel confident 
> about
> crossing a given space because you can tell that *this* space likely 
> doesn't
> have a land mine - for instance, crossing a not-recently paved parking 
> lot is
> probably fairly safe.  Following heavy truck tire tracks also greatly 
> improves your odds,
> as long as you don't come to someplace the tracks suddenly end.... ;)

Killing a couple of birds with one stone in this posting, apologies.  
Valdis got me thinking ... :)

First, I have noticed the point raised on how many 0-day exploits 
honeypots have captured, the number is most likely limited.  But, you 
then have to ask the question, how many honeypots have been deployed 
with the intent of capturing new attacks?  Keep in mind, most honeypots 
 deployed to date have been  sitting off of home DSL or Cable 
connections.  Its highly unlikely you are going to see advanced threats 
throwing new attacks against any old WinXP computer sitting.  I'm 
working on the assumption that the majority of new attacks are lanched 
against targets of high value.  This means your honeypot (for new or 
advanced attacks) needs the perception of high value.  The problem with 
that is most individuals cannot deploy honeypots of perceived high 
value, usually only organizations can.  I personally can create a 
honeypot that appears to be a TopSecret R&D server for the latest 
encryption, or build a online banking system, however how long will 
that perception last when its sitting off dsl.speakeasy.net?  I feel 
that some of the best opportunities for honeypots to capture advanced 
threats is honeypots not deployed by individuals, but by organizations.

Second, Valdis brings up a very interesting point here.  But, I'm going 
to counter that his analogy can actualy help capture advanced threats.  
In mechanized warfare, minefiels in general are NOT used to stop an 
enemy, but channel that enemy into a killing zone (*lance dust's off 
old Tank manual*:).  The idea is to set up mines so that the enemy sees 
them, has to change course, one that forces the enemy into a killing 
zone you have covered with fields of fire (direct, indirect, etc).  Why 
not apply that with honeypots?  Lets say you are concerned about 
advanced threats.  You can populate your organization with 
low-interaction honeypots, great for detecting the low hanging fruit, 
but relatively easy for the advanced guys to detect.  Advanced threat 
is searching your network for honeypots, finds the low-interaction 
honeypots (our minefield).  They avoid the minefield and go for the 
high-value targets, places where there are no honeypots.  However, in 
those dark quiet spots is where we deploy our high-interaction 
honeypot, the one with perceived high value and harder to detect.

This brings me to my third (and final) thought.  In reference to 
detection, I highly doubt we will ever create a honeypot that is 
impossible to detect.  Attackers that have the skills or tools, and are 
looking, will eventually fingerprint your honeypot.  The key to the 
game is to make the honeypot hard enough to detect, so when the bad guy 
does detect it, its too late for them.

just some thoughts ... :)

lance