Honeypot Help Security Professionals to

¶ … honeypot help security professionals to do their job more effectively by acting as an Intrusion Detection System (IDS)? Identifying Ways a Website Honeypot Can Help Security Professionals Perform Their Jobs More Effectively by Acting as an Intrusion Detection System By any measure, the Internet has changed the way both consumers and businesses of all types interact and pursue their respective goals. Indeed, the Internet has transformed the way in which people go about the daily lives in some profound ways, but there are some significant problems involved.

For example, Elifoglu (2002) points out, "The open nature of the Internet makes security a real challenge for today's companies" (p. 67). Such security issues have assumed even greater importance in recent years as more and more companies establish a Web presence to facilitate their organizational goals. As Andress emphasizes, "Connecting your systems to the Internet is a huge risk, but installing a firewall and intrusion-detection system (IDS) helps mitigate the risk of unauthorized individuals entering your network and systems" (p. 29).

According to Elifoglu, "Internet-based e-commerce is subject to threats from internal and external users alike. This is another change from the recent past, when most security breaches were initiated by insiders" (p. 68). In this environment, identifying who is the threat and what type of threats these individuals represent has assumed new importance and relevance for information security management purposes.

In this regard, Hinojosa (2005) advises, "Information security management consists of identifying an organization's electronic informational assets, as well as the planning and programs that must be carried out to ensure its continued availability, confidentiality and integrity" (p. 36). Unfortunately, the threat to computer systems appears to growing worse instead of better: "Today, in fact, there are more external than internal attacks, based on increased Internet use.

What's more, most external attacks go undetected or even uninvestigated, with a full 75% of external intrusions never reported to legal authorities for fear of negative publicity" (Elifoglu, p. 68). Moreover, the costs associated with such unauthorized system intrusion can be staggering. As Elifoglu points out, "To make matters worse, the cost of each successful external intrusion is estimated to be much higher than for internal attacks" (p. 68).

Importance of Proposed Study In this environment, identifying improved methods to identify and counter security threats represents a timely initiative, and many companies are turning to honeypots to help them make such identifications as part of their information management security processes. As Spitzner (2003b) emphasizes, "Honeypots are a simple, cost-effective way to detect illicit, unauthorized activity" (p. 3). Like the Internet itself, honeypots are a fairly recent innovation.

For example, Spitzer advises, "Honeypots are a relatively new security technology whose real value lies in being probed, attacked, or compromised so that the actions of the intruders can be observed, analyzed and understood. The concept is simple: they do not have any production purpose, there is no authorized interaction with them, so any interaction with a honeypot is most likely a probe, scan or attack" (2003b, p. 5). Honeypots are just one type of intrusion detection system, but the represent one of the better approaches for a number of reasons.

Purpose of Proposed Study The purpose of this project is to identify ways in which a website Honeypot can be used as a detection measure or system, and to determine its ability to achieve these goals in ways that are superior to other types of intrusion detection systems. These issues and factors relate to the following weaknesses of IDSs and the advantages of using a honeypot approach as set forth in Tables 1 and 2 below. Table 1.

Intrusion Detection System Weaknesses: Category Description of Weakness/Constraints Data Overload Network intrusion detection systems tend to generate an extremely large volume of alerts. This volume makes it time consuming, resource intensive, and costly to analyze and review all data generated. For example, some organizations generate over 100,000 alerts a day. This makes NIDS very costly to scale. They also require extensive manpower to analyze all of this information. False Positives Of all the disadvantages of NIDS, this is one of the greatest, false alerts.

Many NIDS have difficulty distinguishing between legitimate activities and malicious traffic that bear similarities. For instance, a BugTraq post with example exploit code may be interpreted by an NIDS as a buffer overflow because the sample code matches a specific rule or pattern. In another instance, anomaly-based detection technology may mistake new traffic introduced to your network based on the new Lotus Notes server you are using for an attack based on the fact that it is not normal traffic.

Even for organizations that have spent extensive time tuning their systems, false alerts are still a common problem. This can quickly degenerate into the 'little boy who cried wolf' scenario. If the IDS is repeatedly generating false positives, administrators begin to ignore the technology they are using for detection. False Negatives Just as NIDS can often generate false alerts, they can also fail to alert, especially for new attacks.

Attackers may develop new tools or methods that are designed to bypass NIDS (such as AMDmutate, or new attacks that have never been captured before. This can leave organizations vulnerable to new attacks and techniques. Resources NIDS require resource-intensive hardware to keep up with organization's activity and traffic. The faster your network and the more data you have, the bigger your NIDS will have to be to keep up. In addition to this, it will require large databases to store all of the data.

This is becoming more of a problem as networks migrate from 10/100 Megabit to Gigabit networks. Encryption More and more organizations are moving to encryption, in which all of the data is encrypted by methods such as SSH, SSL, and IPSec. This move is based on both best practices and regulation (such as HIPPA); however, this very same technology can also blind administrators concerning what is happening on their networks. How can a NIDS detect an attack, when all it can see is an encrypted SSL stream on the wire.

The very same technologies we are using to protect computer networks can paradoxically blind existing detection technologies. IPv6 IPv6 is the new protocol version for the Internet Protocol. Not widely adopted, it is mainly used in Asian countries, such as Japan. Most NIDS technologies are not capable of analyzing or understanding IPv6 packets. Even in strictly IPv4 networks, this is a problem, as attacks can enable IPv6 tunneling within IPv4, blinding detection technologies. Source: Spitzner (2003b) at p. 6.

Some of the superior attributes of honeypots compared to other IDS approaches are delineated in Table 2 below. Table 2. Website Honeypots as a Detection Solution. Category Description/Advantages Small Data Sets Honeypots only collect data when someone or something is interacting with them. Organizations that may log thousands of alerts a day may only log a hundred alerts with honeypots. This makes the data honeypots collect much easier to manage and analyze. Reduced False Positives Honeypots dramatically reduce false positives.

Any activity with honeypots is by definition unauthorized, making it extremely effective at detecting attacks. This allows organizations to quickly and easily reduce, if not eliminate, false alerts, allowing organizations to focus on other security priorities, such as patching. Catching False Negatives Honeypots can easily identify and capture new attacks or activity against them. Any activity with the honeypot is an anomaly, making new or unseen attacks easily stand out. This has been repeatedly demonstrated by the Honeynet Project.

Minimal Resources Honeypots require minimal resources, even on the largest of networks. A simple Pentium computer can monitor literally millions of IP addresses on an OC-12 network. Encryption It does not matter if an attack is encrypted, the honeypot will capture the activity. IPv6 It does not matter which IP protocol an attacker uses, honeypots will detect, capture and log all IP activity. In one documented case, a Solaris honeypot detected and captured an attack where attackers attempted to hide their communications using IPv6 tunneling within IPv4.

On the other hand, there are almost no NIDS technologies that can decode IPv6 or IPv6-tunneled traffic. Source: Spitzner (2003b) at pp. 6-7. Chapter 2: Intrusion Detection Systems This chapter provides an overview of intrusion detection systems (IDSs), and why they are important for organization to employ such security countermeasures. A discussion concerning what types of threat agents are involved is followed by a definition and description of a typical intrusion detection system.

Finally, a review of what types of attacks such IDSs can detect is followed by a description of how these systems operate. By and large, those who would seek to attack a computer system are working alone. In this regard, Elifoglu notes that, "In most instances, threat agents act alone. Typically, they are probing for weaknesses in the system's hardware and software, which they can exploit later" (p. 68).

While current employees and contractors represent an inside threat, external threat agents are most commonly referred as follows: Hacker -- Someone intensely interested in complex computer systems; or, Cracker -- a hacker whose interest includes unauthorized entry and modification of computer systems, usually by decrypting password files. Groups -- People sometimes act as a group to steal information for any number of reasons. They may be a company's customer or vendor, or they may be a fierce competitor trying to steal sensitive trade secrets (Elifoglu, 2002).

Some common threat attack groups include the following: Saboteurs/Terrorists/Paramilitary Groups; Domestic or Foreign Criminals; Vendors; Customers; Competitors; and, Former Employees (Elifoglu, 2002). In reality, the concept of intrusion detection systems is a straightforward matter of designing a system that can provide alerts when it is attacked. According to Andress (2003), the process of intrusion detection typically requires the identification of unauthorized access into computer systems.

For example, this author notes, "Robust intrusion-detection systems are placed at strategic locations on the network to look for suspicious usage patterns so that attacks can be detected before an intruder has gained access to the network, application, or operating system" (Andress, p. 66). This author also reports that, "An intrusion-detection system (IDS) monitors networks and computer systems for signs of intrusion or misuse. IDSs are quickly becoming a core component of any security infrastructure and the standard solution for monitoring and recognizing attacks.

Intrusion refers to an unauthorized user attacking your resources. IDSs work in the background, continuously monitoring network traffic and system log files for suspicious activity. When they find something, appropriate individuals receive alerts, often by e-mail, a page, or a Simple Network Management Protocol (SNMP) trap" (Andress, p. 196). Generally speaking, intrusion-detection systems identify, among other types of intrusions, Web attacks, probing attacks, denial-of-service attacks, remote procedure attacks, service exploits, and unauthorized network traffic (Andress).

"The majority of commercial IDS products work by examining network traffic and looking for well-known patterns of attack. For every recognized attack technique, the product developers code something, usually referred to as a signature, into the system" (Andress, p. 196). This signature identification can be a basic pattern match (e.g., / cgi-bin/password), a sign that there is an unauthorized attempt to gain access to the password file on a Web server (Andress).

Such signatures, though, can be as complex as a security state transition codified in a formal mathematical expression (Andress). In order to employ signature identifications, the IDS analyzes signatures based on the information it receives from the system; such analyses involves matching the patterns of system settings and user activities against a database of known attacks (Andress). Current commercial IDS products generally include databases that may contain hundreds (or thousands) of such attack signatures (Andress).

Chapter 3: Classification and Types of Honeypots This chapter provides an overview of the two primary classifications of honeypots and their respective intended applications. A discussion of the different types of honeypots concludes the chapter. Currently, there are two main classifications of honeypots that primarily relate to the intended purpose of the IDS as follows: Research Honeypot.

According to Grimes (2008), research honeypots are complex to implement as well as to maintain, but they are capable of capturing extensive information; these types of honeypots are used mostly by research, military, or government organizations. Production Honeypot. By contrast, production honeypots are fairly simple to implement but are only capable of capturing a limited amount of information; these types of honeypots are mostly used by companies or corporations (Grimes, 2008).

The type of honeypot that is best suited for a particular application depends on the type of interaction that can be expected; in this regard, there are three types of honeypots which are described in Table 3 below. Table 3. Levels of Honeypot Interaction. Interaction Level Description Low-interaction Low-interaction honeypots.