Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: What do you guys think?
From: jason () kaddywampus org
Date: Fri, 14 Mar 2008 17:23:58 -0400 (EDT)

I think honeypots are great for research and invaluable to the security
profession.  But research should be done by the those that have the time
to do it.

If an organization has a security group with time on their hands to deal
with honeypots, I would be surprised.  There are many more priorities for
an organization.

The honeypot is a research project, not a security project.  Security
professionals working in security groups should subscribe to honeypot
research data and use it accordingly.

However, a honeypot research project would like prove more valuable if
they could deploy honeypots across different organizations and gather the
intel they provide.  A dispersed honeypot research project that had the
cooperation of corporate and government organizations would help to show
trending and other attack data.


You want discussion, so I'll throw a hand in.

What security benefit is there to "trapping attackers" and/or watching
their behavior/action? I think that may make great research, but I'm not
sure how many people or organizations will benefit from that added
knowledge. Will it make the organization more secure?

The other side of this is giving attackers an easy target to trigger your
alarms so you know they're present. This is a basic tripwire type of
alarm. Only instead of alarming on actual valuable stuff, you'll get many
more positive hits because you're alarming on giveaway stuff. Maybe this
will alert before your jewels are stolen, but again the value/time side of
this is still arguable.

I'm certainly no expert, but if you make this too easy, are you opening
yourself up to entrapment, or at the very least the inability to prosecute
if you seemingly welcomed the intruder in? I really don't know, but I'm
sure others do.

This isn't to say I want to discourage your work here. I think you should
continue to pursue it. While I might speak about alarming only on the
things you're trying to protect, I do tend to be a network control freak
and prefer the heartbeat of my network close at my fingertips...and
alarming on even smaller things is useful information to alert me to
potential problems early.

Soapbox: I think it is dangerous to speak too highly of honeypots or
honeypot-like tripwires. While I do believe in their value for research
and curiosity, honeypots in an organization can be extremely dangerous
when tended by non-experts. Besides, there are so many more valuable tasks
to do in most orgs.



<- snip ->

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault