Most corporate networks lack serious oversight, that is, no one is really watching. Watching the network and computer systems is expensive, overwhelming and fraught with false positives. No wonder then that insider attacks go undetected for months, malware proliferates stealthily and hackers can spend their time gradually infiltrating deeper and deeper, undetected. It's simply too hard to discern between legitimate activities and illegitimate or malicious activities. Without context, wading in the enormous volume of logs or network traffic leads to information overload. How to tell who's up to no good? Well, you shall know them by their deeds.
Honeypots are, in my opinion, an underutilized tactic. Every attack, whether manual or automated, has an exploratory component. When hackers or viruses go probing networks and systems they are usually able to do so unnoticed. Unless they cause a system crash or overwhelm a system, the chances of detection are pretty low. A honeypot is a system that detects unusual activity by creating false targets. In a network, for example, a simple honeypot may allocate the unused IP address space. Then if someone attempts to access an IP address that is not used, an alert can be generated. Similarly, a port-based honeypot could respond to requests on unused TCP ports, creating the illusion of services. Entire computers, or even networks of computers, can be created to lure attackers.
Some may object to the use of honeypots because they might be seen as "entrapment" under the law. I'm recommending the use of honeypots for detection and prevention of attacks, not prosecution. If someone is accessing a system that has no DNS name, no public or registered services, no legitimate function, then it is quite likely that they're up to no good. Alerting on such access can give security professionals advance warning of attacks with fewer false positives. Of course, there are network diagnostic tools and other management tools that probe entire networks, but it is not very difficult to exclude those. Honeypots can even automate intrusion prevention by temporarily blacklisting IP addresses, thereby acting as booby traps for attackers.
I've applied this tactic successfully on both personal and corporate networks. What perplexes me is that there are so few vendors offering honeypot-like solutions in their products as a standard security feature. Network equipment (routers and switches) could offer phantom honeypot networks that generated alerts. Virtualization software could create entire phantom honeypot data centers. Service providers could use honeypots on unallocated network space. Sophisticated honeypots can even "lure" attackers by creating the illusion of success and escalating the intrusion, profiling the attacker all the way (see www.mykonossoftware.com for one example of this tactic)
There are very few legitimate reasons to go probing in the dark recesses of most networks, operating systems or applications. Honeypots give us an opportunity to set traps in those spaces, making an attacker's exploratory forays risky and more likely to be detected. A mirage of fake systems can waste attacker's time, giving us a head start in detecting, identifying and thwarting them. That's how you catch hackers with honey.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Honeypots for hacker detection" was originally published by Network World.