July 06, 2010, 4:27 PM — Most corporate networks lack serious oversight, that is, no one is really watching. Watching the network and computer systems is expensive, overwhelming and fraught with false positives. No wonder then that insider attacks go undetected for months, malware proliferates stealthily and hackers can spend their time gradually infiltrating deeper and deeper, undetected. It's simply too hard to discern between legitimate activities and illegitimate or malicious activities. Without context, wading in the enormous volume of logs or network traffic leads to information overload. How to tell who's up to no good? Well, you shall know them by their deeds.
http://www.networkworld.com/news/2010/031210-layer8-fbi-internet-scams.html ">FBI details most difficult Internet scams
Honeypots are, in my opinion, an underutilized tactic. Every attack, whether manual or automated, has an exploratory component. When hackers or viruses go probing networks and systems they are usually able to do so unnoticed. Unless they cause a system crash or overwhelm a system, the chances of detection are pretty low. A honeypot is a system that detects unusual activity by creating false targets. In a network, for example, a simple honeypot may allocate the unused IP address space. Then if someone attempts to access an IP address that is not used, an alert can be generated. Similarly, a port-based honeypot could respond to requests on unused TCP ports, creating the illusion of services. Entire computers, or even networks of computers, can be created to lure attackers.
Some may object to the use of honeypots because they might be seen as "entrapment" under the law. I'm recommending the use of honeypots for detection and prevention of attacks, not prosecution. If someone is accessing a system that has no DNS name, no public or registered services, no legitimate function, then it is quite likely that they're up to no good. Alerting on such access can give security professionals advance warning of attacks with fewer false positives. Of course, there are network diagnostic tools and other management tools that probe entire networks, but it is not very difficult to exclude those. Honeypots can even automate intrusion prevention by temporarily blacklisting IP addresses, thereby acting as booby traps for attackers.