Thursday, March 28, 2024

Honeypots Let You Spy on Your Enemy

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

What’s one of the first tenets of warfare?

Know your enemy.

Well, the principal that holds for military warfare holds true for

digital warfare, as well. But it’s not like black hat hackers are having

lunch with security administrators and sharing their secrets for

intrusions and hybrid worm attacks. So how do you figure out who your

enemy is and what he’s trying to do to your network?

The answers lie in the honeypot. According to members of the Honeynet

Project and the Honeynet Research Alliance, most of what you need to

know about hackers can be found there. Their new collaborative book,

Know Your Enemy: Learning About Security Threats looks at

honeypots, honeynets and what they can teach us about the bad guys, as

well as how to successfully set them up yourself.

Honeypots, which have been around for about 12 years but are gaining

interest and momentum, are digital decoys, of sorts. They are built to

be probed and attacked — an online come-on to blackhat hackers. Once

the honeypot is attacked, security administrators can watch how the

hacker moves around the system, and she can see what tools the hacker is

using and what information he’s going after.

It’s a way to spy on your enemy.

And if you’re lucky, it might even be a form of camouflage. Hackers

could be fooled into thinking they’ve accessed a corporate network, when

actually they’re just banging around in a honeypot — while the real

network remains safe and sound.

There also are honeynets, which are a network of honeypots, loaded up

with real hardware, like Linux boxes, Cisco switches, Windows NT and

Solaris. Lance Spitzner, a senior security architect at Sun Microsystems

Inc., created the Honeynet Project with the help of about 30 other

security professionals.

Spitzner is one of the authors of the book Know Your Enemy. He

talked to eSecurityPlanet about what they’ve learned about

hackers, what companies should be doing to better protect themselves,

and if putting together a honeypot or a honeynet is the right thing for

most companies.

There also are honeynets, which are a network of honeypots, loaded up

with real hardware, like Linux boxes, Cisco switches, Windows NT and

Solaris. Lance Spitzner, an engineer at Sun Microsystems Inc., created

the Honeynet Project with the help of about 30 other security

professionals.

Q: Are honeypots and honeynets the best way to learn about hackers?


It’s definitely one of the best ways. You get to watch them operate in

their own environment. It’s difficult to survey hackers or talk with

them… With a honeynet, you can watch and analyze what they’re doing

without them knowing they’re being watched. What tools do they use? What

systems are they going after? Who are they communicating with?

Q: What are some of the more interesting things you’ve learned about

hackers?
The attackers and threats are far more aggressive and active than most

people think. The typical home user, if they have a dedicated connection

to the Internet, is getting scanned about 10 times a day. People think

they only go after major companies, but they go after everyone.

And people think of hacker terrorism but most hackers are just

criminals. They’re out to make money. There are so many creative ways to

make money hacking computers. They can go online and take information,

like addresses and social security numbers, off peoples’ computers. Then

they can use the information or sell it. They might even break into

hundreds or thousands of computers and sell these hacked computers to

someone else. They might set up a porn site on your computer and charge

people to go see it.

Q: What changes have you seen in how hackers operate?
There have been two big changes. In ’97, ’98 or ’99, you’d see the

misguided youth. But in past few years, there’s been a switch to the

criminal. People are out to make money. Tools are far more aggressive

and automated. It makes for a different level of sophistication.

Q: What should administrators and CSOs know about your

findings?
Stay with the basics. People try to go for the latest and greatest. If

you’re running a current and patched operating system, you should be

protected. Anti-virus software and firewalls will go a long way to

eliminating most threats. It’s not that hackers have super secret

weapons. They’re trying to look for mistakes in your environment. They

look for simple passwords or systems that aren’t patched. With 20

percent effort, you can eliminate 80 percent of the threat.

Q: Should companies be running their own honeypots or

honeynets?
Commercial organizations? Probably not. Do the basics. If you’re having

problems with patching and such, you shouldn’t have a honeynet. If

you’ve got all the basics done, sure. Go ahead. Get a honeynet because

you can learn a lot. But most honeynets are run by academics, military

and government. Stick to what you have to do first. Once you’ve got the

basics down, honeynets can give you a lot of information, maybe even on

internal threats.

Q: What should companies do to protect themselves that they’re

generally not doing?
Companies are not doing the basics. Most want to pass audit. They want

to be able to tell shareholders that they’re secure… In a lot of

cases, you hear about companies being taken out by worms. These exploits

have been known for six months and the patches have been out for six

months. That means these companies haven’t patched their systems in six

months. That’s just blowing it on the basics.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles