Honeypots are positioned to become a key tool to defend the corporate
enterprise from hacker attacks, but some security watchers worry they could
bring a new set of security worries with them.
Honeypots, which have been around for about 10 years but now are gaining
interest and momentum, are digital decoys, of sorts. They are built to be
probed and attacked — an online come-on to blackhat hackers. Once the
honeypot is attacked, security administrators can watch how the hacker moves
around the system, and she can see what tools the hacker is using and what
information he’s going after.
It’s a way to spy on your enemy.
And if you’re lucky, it might even be a form of camouflage. Hackers could be
fooled into thinking they’ve accessed a corporate network, when actually
they’re just banging around in a honeypot — while the real network remains
safe and sound.
“It’s all about appearing to be something you’re not to get the baddies to
show their hand,” says George Bakos, senior security expert at the Institute
for Security Technology Studies at Dartmouth College in Hanover, N.H. “The
information we glean from it is fantastic. You can observe details of the
compromise — what technology they use, their intent, motivations and the
resources they went after. …They give us a leading indicator of things to
With the information culled from honeypots, Bakos says administrators can
refine their network defenses and better secure the company’s critical
Bakos says honeypots are poised to become the third step in network
perimeter security. The security line up will be filtering, detection and
What is a honeypot?
There are a few types of honeypots. Hardware-based honeypots are made up of
servers, switches and routers that are set up to mimic an actual productive
network. They’re usually spiced up with the addition of a few
misconfigurations or unpatched security holes. The goal is for them to look
real and operational, as well as inviting to a hacker.
There’s also a form of a virtual honeypot. Software emulation honeypots are
deception programs designed to appear to be a real working network. The
honeypot program doesn’t offer up any actual hardware for a sophisticated
hacker to compromise but it also offers the added challenge of creating a
simulation good enough to fool an intruder into thinking he’s in a real
network. That can be a complicated, and time-consuming task, for the average
There also are honeynets, which are a network of honeypots, loaded up with
real hardware, like Linux boxes, Cisco switches, Windows NT and Solaris.
Lance Spitzner, an engineer at Sun Microsystems Inc., created the Honeynet
Project with the help of about 30 other security professionals.
“Honeypots can be used to detect attacks and they can be used to get
information about attacks,” says Spitzner. “They’re better than intrusion
detection systems because they can give you a lot of false positives. You
get 8,000 to 10,000 alerts a day with IDS. You don’t know what to pay
attention to. You get overwhelmed and you start ignoring it all. When a
honeypot generates an alert, it’s a real attack. No one should be connecting
to it because it’s not an actual production network. So if someone is on it,
it’s a probe or a scan or an attack.”
Keith Rhodes, chief technologist at the U.S. General Accounting Office, says
honeypots should be part of a company’s defense structure.
“You set them up like fish bowls and watch what they’re doing,” says Rhodes,
whose job is to test networks at government agencies, finding their
weaknesses by breaking into them. “You set up a diversionary network and it
buys you time while you watch them and see what they’re doing. It’s not the
first line of defense. It’s part of your defensive structure.”
Rhodes notes that systems can be attacked in the blink of an eye and
honeypots buy administrators needed time to find out what’s going on.
“Most people who are serious about security are starting to use honeypots in
one way or another,” says Rhodes. “They’re used a lot in the military. They
want to pull their opponent in and watch them. The trick is to make it
interesting to the person breaking in and to make certain they can’t
immediately figure out they’re in a honeypot.”
At the Vermont National Guard, honeypots are used to teach students in the
Computer Emergency Response Teams, which teaches network security to
military IT workers from all 50 states. They run an experimental network,
gathering attack information to show their students what to look for and
what to do when it happens.
Retired Sgt. Bill Scherr, a senior instructor with the Guard’s Electronic
Warfare Associates team, says they’ve harvested information about attackers
from all over the world. And that’s offered valuable lessons to the students
who may be defending military networks from hacker attacks.
But despite the advantages, Scherr says honeypots are nothing to mess around
Sgt. First Class Carl Fortune, a computer specialist and instructor with the
Vermont National Guard, says it’s a more complicated technology than simply
putting up a firewall or an intrusion detection system.
“You can put up a firewall and IDS, but you better know what you’re doing if
you’re playing around with a honeypot,” says Fortune. “You’ve got to be able
to contain them and you’ve got to know if they’ve gotten out of the honeypot
and into your network.”
That’s good advice, say analysts, since once a hacker realizes he’s been
duped by a honeypot, he’s more apt to be angered and embarrassed enough to
want to retaliate with a destructive attack on the real network.
Fortune and Scherr also note that once a hacker is in a honeypot, it’s up to
the administrator to make sure he can’t use the honeypot as a jumping off
point to attack another network. The company running the honeypot could be
liable for any damage done to another network through their own network.
Ken VanWyk, director of technology in the technical risk management
department at TechMark Global Solutions, says honeypots are based on a good
concept but he hasn’t yet recommended that a customer deploy one. He says he
wants to see the honeypots more geared toward deceiving an attacker and he
wants to see them optimized for running on internal networks, catching
employees or contractors tampering with the system.
“Very few are using them now but I think we’ll see an increase,” says
VanWyk. “The technology is maturing and somewhere along the line, someone
will come up with a really useful honeypot that is feasible, manageable and
cost-effective to deploy. They’re still missing enterprise-level