Honeypots — essentially decoy systems designed to glean information about security threats — have proved their worth to a security regimen. Neils Provos, a senior staff engineer with Google, co-wrote Virtual Honeypots: From Botnet Tracking to Intrusion Detection with German graduate student Thorsten Holz. The book is published by Pearson Education on its Addison-Wesley imprint. He discussed the concept of honeypots, how they work and why virtual is better with Network World Canada.
NWC: Describe the notion of a honeypot.
Provos: It’s essentially a resource that lets you find out things that you might not know of or be aware of. The basic idea is that you run some kind of computer system that really doesn’t have any use in your production network. It doesn’t serve any Web pages, it doesn’t provide any services to regular visitors. Then you monitor what happens. The basic idea is, adversaries might try scanning the network or might try to attack resources that you provide to your network, and any connection that happens to your honeypot is suspicious by itself because you wouldn’t expect any regular visitor to connect to the system. By carefully instrumenting it you essentially get to see anything that’s a potential attack … that might end up compromising it with security vulnerabilities that nobody might have been aware of. As a result of getting your honeypot compromised, you might actually know about flaws that you didn’t know about before. And then the other benefit is you might see how they further compromise the system, what kind of back doors they install, or what kind of root kits or other technologies they use. So the basic benefit of a honeypot is you can observe what potential adversaries might do.
NWC: You describe two different kinds of honeypot, low-interaction and high-interaction. What’s the difference?
Provos: It’s really the degree with which an adversary gets to interact with the system. With the low interaction honeypot, we usually assume that the only interactions happen via the network and that an adversary actually might not be able to fully compromise it. And then the deployment of a low-interaction honeypot might be thought of as a wide-range sensor. Because they don’t require as many resources, you can have many more of them. So you could imagine that you deploy a low-int3eraction honeypot on 60,000 IP addresses and then see what kind of scanning behaviour you see or what other kinds of network probes there might be.
With a high-interaction honeypot, resource consumption is a lot higher, but it also allows an adversary to interact with it to a much larger degree. So instead of just probing it from the network and not really getting far, they can fully compromise the system and go down to the operating system level, which wouldn’t be possible with a low-interaction honeypot. So really you can collect different kinds of information depending on which kind of honeypot you deploy.
NWC: You’ve explained some of the benefits of using a honeypot. There’s also some risk attached.
Provos: Risk is clearly something you need to consider before you deploy a honeypot. It’s possible that if you deploy a high-interaction honeypot and someone compromises it, that they then use your computer resources to compromise other systems on the Internet. IN the book, we describe some safeguards that everyone should take to mitigate that risk, but really in order to understand the risk that you are faced with individually you need to consult your own legal counsel and get their advice. That might depend on what type of institution you’re operating in.
NWC: What’s a virtual honeypot as opposed to a physical honeypot?
Provos: A virtual honeypot is really a honeypot that doesn’t have a direct physical correspondence. Usually, what we mean by that is you might have one physical computer system on which you run several different virtual machines. And these virtual machines would represent virtual honeypots.
But the main benefit really is it’s much easier to maintain. If your virtual honeypot is compromised, it’s very easy to revert it to a safe snapshot, so you can essentially repeat your expert without too much work, whereas if a physical honeypot gets compromised, usually it means that you have to reinstall the whole system, format the hard disk and reinstall the operating system, which is much more time-intensive, and usually means you spend much more work maintaining physical honeypots than if you were deploying virtual ones.