The role of decoy-based intrusion-detection technology, or "honeypots," is evolving. Once used primarily by researchers as a way to attract hackers to a network system in order to study their movements and behavior, honeypots are now beginning to play an important part in enterprise security. Indeed, by providing early detection of unauthorized network activity, honeypots are proving more useful to IT security professionals than ever.
This article looks at how honeypots work and how the technology is emerging as a key component in a layered approach to intrusion protection.
A honeypot is a system that's put on a network so it can be probed and attacked. Because the honeypot has no production value, there is no "legitimate" use for it. This means that any interaction with the honeypot, such as a probe or a scan, is by definition suspicious.
There are two types of honeypots:
Research: Most attention to date has focused on research honeypots, which are used to gather information about the actions of intruders. For example, the Honeynet Project is a volunteer, nonprofit security research organization that uses honeypots to collect information on cyberthreats.
Production: Less attention has been paid to production honeypots, which are actually used to protect organizations. Increasingly, however, production honeypots are being recognized for the detection capabilities they can provide and for the ways they can supplement both network- and host-based intrusion protection.
How honeypots work
Honeypots can also be described as being either low interaction or high interaction, a distinction based on the level of activity that the honeypot allows an attacker. A low-interaction system offers limited activity; in most cases, it works by emulating services and operating systems. The main advantages of low-interaction honeypots are that they are relatively easy to deploy and maintain and they involve minimal risk because an attacker never has access to a real operating system to harm others.
In contrast, high-interaction honeypots involve real operating systems and applications, and nothing is emulated. By giving attackers real systems to interact with, organizations can learn a great deal about an attacker's behavior. High-interaction honeypots make no assumptions about how an attacker will behave, and they provide an environment that tracks all activity. Such conditions allow organizations to learn about behavior they would not otherwise have access to.
High-interaction systems are also flexible, and IT security professionals can implement as much or as little of them as they want. In addition, this type of honeypot provides a more realistic target, capable of detecting a higher caliber of attacker. High-interaction honeypots can be complex to deploy, however, and they require additional technologies to prevent attackers from using the honeypot to launch attacks on other systems.
Advantages of honeypots
Security experts say that honeypots can succeed in a number of areas where traditional intrusion-detection systems (IDS) have been found wanting. In particular, they point to:
Too much data: One of the common problems with the traditional IDS is that it generates a huge amount of alerts. The sheer volume of this "noise" makes it time-consuming, resource-intensive and costly to review the data. In contrast, honeypots collect data only when someone is interacting with them. Small data sets can make it easier and more cost-effective to identify and act on unauthorized activity.
False positives: Perhaps the biggest drawback of an IDS is that so many of the alerts generated are false. False positives are a big problem even for organizations that spend a lot of time tuning their systems. If an IDS continually creates false positives, administrators may eventually begin to ignore the system. Honeypots sidestep this problem because any activity with them is, by definition, unauthorized. That allows organizations to reduce, if not eliminate, false alerts.
False negatives: IDS technologies can also have difficulty identifying unknown attacks or behavior. Again, any activity with a honeypot is anomalous, making new or previously unknown attacks stand out.
Resources: An IDS requires resource-intensive hardware to keep up with an organization's network traffic. As a network increases in speed and generates more data, the IDS has to get bigger to keep up. Honeypots require minimal resources, even on large networks. According to Lance Spitzner, founder of the Honeynet Project, a single Pentium computer with 128MB of RAM can be used to monitor millions of IP addresses.
Encryption: More organizations are moving to encrypt all their data, either because of security issues or regulations, such as the Health Insurance Portability and Accountability Act. Not surprisingly, more and more attackers are using encryption as well. That blinds an IDS's ability to monitor the network traffic. With a honeypot, it doesn't matter if an attacker is using encryption; the activity will still be captured.
How honeypots augment IDSs
The evolution of honeypots can also be understood by looking at the ways these systems are being used in association with IDSs to prevent, detect and help respond to attacks. Indeed, honeypots are increasingly finding their place alongside network- and host-based intrusion-protection systems.
Honeypots are able to prevent attacks in several ways. The first is by slowing down or stopping automated attacks, such as worms or autorooters. These are attacks that randomly scan an entire network looking for vulnerable systems. (Honeypots use a variety of TCP tricks to put an attacker in a "holding pattern.") The second way is by deterring human attacks. Here honeypots aim to sidetrack an attacker, making him devote attention to activities that cause neither harm nor loss while giving an organization time to respond and block the attack.
As noted above, honeypots can provide early detection of attacks by addressing many of the problems associated with traditional IDSs, such as false positives and the inability to detect new types of attacks, or zero-day attacks. But increasingly, honeypots are also being used to detect insider attacks, which are usually more subtle and more costly than external attacks.
Honeypots are also helping organizations respond to attacks. A hacked production system can be difficult to analyze, since it's hard to determine what's normal day-to-day activity and what's intruder activity. Honeypots, by capturing only unauthorized activity, can be effective as an incident-response tool because they can be taken off-line for analysis without affecting business operations. The newest honeypots boast stronger threat-response mechanisms, including the ability to shut down systems based on attacker activity and frequency-based policies that enable security administrators to control the actions of an attacker in the honeypot.
Like all technologies, honeypots have their drawbacks, the greatest one being their limited field of view. Honeypots capture only activity that's directed against them and will miss attacks against other systems.
For that reason, security experts don't recommend that these systems replace existing security technologies. Instead, they see honeypots as a complementary technology to network- and host-based intrusion protection.
The advantages that honeypots bring to intrusion-protection solutions are hard to ignore, especially now as production honeypots are beginning to be deployed. In time, as deployments proliferate, honeypots could become an essential ingredient in an enterprise-level security operation.
- John Harrison is group product manager at Symantec in the US, where his responsibilities include Symantec Decoy Server and Symantec ManHunt, as well as the intrusion-detection technology in Symantec Gateway Security, Symantec Client Security and Norton Internet Security.