With spending tight, security experts say some IT managers are using decoy-based systems often known as honeypots to gather information and make a case for greater investment in intrusion detection.
A honeypot is a security resource that acts as a decoy to be probed, attacked, or compromised.
Unlike firewalls or intrusion detection system sensors, honeypots are something for the bad guys to interact with They can record the date of an attack and the commands executed once a system is broken into. Unlike a firewall that is designed to prevent an attack, honeypots are not limited to detection – they can collect data of high value to an IT manager.
“”Honeypots are not a solution, they don’t fix specific problems but the two primary values they hold are in detection and information gathering,”” says Lance Spitzner, co-founder of the Honeynet Project, a non-profit research organization of security professionals dedicated to information security. Spitzner was speaking during a recent Webcast called Securing Enterprise Network with Honeypots – The Next Generation of Intrusion Detection Technology.
Not only can a honeypot detect an attacker on an external or internal network, Spitzner says; it can also tell you who the bad guy is and what they’re doing. “”You can capture (hacker) tools, capture their motives – who they are, who they are communicating with – extremely powerful technologies,”” said Spitzner, who is also senior security architect at Sun Microsystems.
According to Michael Murphy, general manager Symantec Canada Corp., corporations aren’t spending millions of dollars on full-blown intrusion detection systems today. Therefore, many IT departments have decided that in order to prove that their organization may be at risk or under attack, they are deploying products like Symantec’s Decoy Server (formely Symantec Mantra).
“”In order to give the IT people enough data to build a proper business case, to get the money to deploy full-blown intrusion detection now and when the economy turns around,”” said Murphy. “”They can show what the attacks look like and how often they happen as well as the complexity or the simplicity of the attacks.””
Licensing for Symantec’s decoy server depends on how many systems on which a company wants to deploy a decoy on. “”We licence it by the number of cages – we call them cages because we try to trap the attacker – or the attack because it could be automated attack – in a cage and have them go through their process, divulge their tricks and tactics.””
Deception-based intrusion detection systems like Symantec’s divert attacks away from production or mission-critical systems. They provide early warning so network staff can be notified of targeted internal/external attacks.
Symantec’s Decoy Server is a honeypot intrusion detection system that provides early notification of insider threats, detection of the latest attacks, diversion and containment.
Murphy prefers the term deception-based decoy as opposed to honeypot. “”We’re not out soliciting attackers as traditional honey pots are. I much prefer decoy-based/deception-based intrusion detection systems because that’s what they are today,”” he said. “”There are several companies that have honeypot technology but most attract attackers. Ours operates differently in that it looks for types of attacks and divert those attacks into a cage versus being out there trying to bring people in,”” said Murphy.
Symantec says it has customers who are evaluating this technology and some have deployed it but due to security reasons, aren’t anxious to talk about using the technology.
Murphy says it is not a mature market for a couple of reasons. “”The traditional honeypot technology lent itself to general deception but didn’t do anything with the data. It was more to keep people away from production systems. And as this type of technology evolves we prefer more deception based or decoy versus calling it a honey pot,”” he said.
But Spitzner says the technology will become more familiar in the next year as more organizations become aware of what honeypots can achieve.
“”In many ways you’re just seeing the beginning of honeypots. There are a variety of technologies and applications coming out such as honey tokens and honey pot farms. I predict in the next couple of years – it’s not just the next six to 12 months – you’re going to see a lot of new applications for honeypots in the world of information security,”” he said.
Comment: [email protected]
