What’s one of the first tenets of warfare?
Know your enemy.
Well, the principal that holds for military warfare holds true for
digital warfare, as well. But it’s not like black hat hackers are having
lunch with security administrators and sharing their secrets for
intrusions and hybrid worm attacks. So how do you figure out who your
enemy is and what he’s trying to do to your network?
The answers lie in the honeypot. According to members of the Honeynet
Project and the Honeynet Research Alliance, most of what you need to
know about hackers can be found there. Their new collaborative book,
Know Your Enemy: Learning About Security Threats looks at
honeypots, honeynets and what they can teach us about the bad guys, as
well as how to successfully set them up yourself.
Honeypots, which have been around for about 12 years but are gaining
interest and momentum, are digital decoys, of sorts. They are built to
be probed and attacked — an online come-on to blackhat hackers. Once
the honeypot is attacked, security administrators can watch how the
hacker moves around the system, and she can see what tools the hacker is
using and what information he’s going after.
It’s a way to spy on your enemy.
And if you’re lucky, it might even be a form of camouflage. Hackers
could be fooled into thinking they’ve accessed a corporate network, when
actually they’re just banging around in a honeypot — while the real
network remains safe and sound.
There also are honeynets, which are a network of honeypots, loaded up
with real hardware, like Linux boxes, Cisco switches, Windows NT and
Solaris. Lance Spitzner, a senior security architect at Sun Microsystems
Inc., created the Honeynet Project with the help of about 30 other
security professionals.
Spitzner is one of the authors of the book Know Your Enemy. He
talked to eSecurityPlanet about what they’ve learned about
hackers, what companies should be doing to better protect themselves,
and if putting together a honeypot or a honeynet is the right thing for
most companies.
There also are honeynets, which are a network of honeypots, loaded up
with real hardware, like Linux boxes, Cisco switches, Windows NT and
Solaris. Lance Spitzner, an engineer at Sun Microsystems Inc., created
the Honeynet Project with the help of about 30 other security
professionals.
Q: Are honeypots and honeynets the best way to learn about hackers?
It’s definitely one of the best ways. You get to watch them operate in
their own environment. It’s difficult to survey hackers or talk with
them… With a honeynet, you can watch and analyze what they’re doing
without them knowing they’re being watched. What tools do they use? What
systems are they going after? Who are they communicating with?
Q: What are some of the more interesting things you’ve learned about
hackers?
The attackers and threats are far more aggressive and active than most
people think. The typical home user, if they have a dedicated connection
to the Internet, is getting scanned about 10 times a day. People think
they only go after major companies, but they go after everyone.
And people think of hacker terrorism but most hackers are just
criminals. They’re out to make money. There are so many creative ways to
make money hacking computers. They can go online and take information,
like addresses and social security numbers, off peoples’ computers. Then
they can use the information or sell it. They might even break into
hundreds or thousands of computers and sell these hacked computers to
someone else. They might set up a porn site on your computer and charge
people to go see it.
Q: What changes have you seen in how hackers operate?
There have been two big changes. In ’97, ’98 or ’99, you’d see the
misguided youth. But in past few years, there’s been a switch to the
criminal. People are out to make money. Tools are far more aggressive
and automated. It makes for a different level of sophistication.
Q: What should administrators and CSOs know about your
findings?
Stay with the basics. People try to go for the latest and greatest. If
you’re running a current and patched operating system, you should be
protected. Anti-virus software and firewalls will go a long way to
eliminating most threats. It’s not that hackers have super secret
weapons. They’re trying to look for mistakes in your environment. They
look for simple passwords or systems that aren’t patched. With 20
percent effort, you can eliminate 80 percent of the threat.
Q: Should companies be running their own honeypots or
honeynets?
Commercial organizations? Probably not. Do the basics. If you’re having
problems with patching and such, you shouldn’t have a honeynet. If
you’ve got all the basics done, sure. Go ahead. Get a honeynet because
you can learn a lot. But most honeynets are run by academics, military
and government. Stick to what you have to do first. Once you’ve got the
basics down, honeynets can give you a lot of information, maybe even on
internal threats.
Q: What should companies do to protect themselves that they’re
generally not doing?
Companies are not doing the basics. Most want to pass audit. They want
to be able to tell shareholders that they’re secure… In a lot of
cases, you hear about companies being taken out by worms. These exploits
have been known for six months and the patches have been out for six
months. That means these companies haven’t patched their systems in six
months. That’s just blowing it on the basics.