Honeypots mailing list archives
Re: Minefields
From: Sylvain P.Leblanc <Sylvain.Leblanc () rmc ca>
Date: 23 Jun 2004 15:02:09 -0000
In-Reply-To: <20040623114806.21270.qmail () www securityfocus com>
I responded directly to Valdis using the term "channelize"...parts of those FMs are indellibly burned into my brain housing group. I'm dating myself here, but commanders could plan/map minefields, or call in FASCAM from the artillery to cover an area. Mechanized forces would be forced to alter their route of march, or at the very least be slowed enough to be picked off w/ TOWs and other ordnance. But I think the issue is more that in the digital realm, many analogies just don't work. ;-) Valdis mentioned minefields, and minefields aren't used to detect an attack, but rather the commander has advanced knowledge (by studying the terrain, etc) as is attempting to influence the route of his enemy's advance.
I like the minefield analogy, but then again I'm a Signals officer so you should expect as much. I absolutely agree that you have to study the situation (terrain [read network topology], adversary's intent, and your own lucrative assets) to decide where the minefield will be of value; but you also have to decide what you will do with it. We use minefields (or any other obstacles) for a combination of four purposes: <i>Block, Turn, Fix, or Disrupt</i>. <br> <br> You <b>Block</b> when you can completely stop the adversary along an avenue of approach, and she/he has nowhere to go. This is extremely resource intensive, and I cannot see how one could accomplish this at the network level. The <b>Turn</b> effect is the channelization described by Harlan, and I definitely see this analogy applicable to honeypots. The last two effects also give the analogy value in the honeypot context. <b>Fixing</b> the adversary means slowing her down while you carry out a valuable action, be it passively (like observing and learning about her tools, techniques and intentions) or actively (such as taking the fight to the adversary with more aggressive measures). Finally to <b>Disrupt</b> is to slow the adversary down (possible by making her waste her time with low interaction production honeypots). <br> <br>
This brings me to my third (and final) thought. In reference to detection, I highly doubt we will ever create a honeypot that is impossible to detect. Attackers that have the skills or tools, and are looking, will eventually fingerprint your honeypot. The key to the game is to make the honeypot hard enough to detect, so when the bad guy does detect it, its too late for them.Or perhaps attackers are relying on other, less technical means of identifying high value targets.
Whatever the effect you want to accomplish with an obstacle, it is doomed to failure unless the obstacle is covered by observation [and fire]. By the time the obstacle is detected, the good guys already have the information they need. That's if for now troops! <br> Sly
Current thread:
- Re: Minefields H Carvey (Jun 23)
- <Possible follow-ups>
- Re: Minefields Sylvain P . Leblanc (Jun 23)
- RE: Minefields David LeBlanc (Jun 27)