Honeypots as an early warning system

These sticky traps make a good backup plan for malware detection -- and every enterprise should have at least one

I often recommend that my clients set up and use a honeypot, and not just because my last book was entitled Honeypots for Windows. Honeypots are any non-production computer asset set up only as a target for hackers and malware. A honeypot is usually a PC, but it could be a Cisco router, Ethernet switch, or HP JetDirect card.

Many people think honeypots are non-necessary devices used by security administrators to track uberhackers. And while that’s partially true, today I recommend that every company use one or more honeypots.

Why, you ask? Because all computer security defenses will fail. Your firewall will fail. Your anti-virus software will fail. Your IDS and all of your employee education will fail, if not once a year, then several times. That being the case, step two is to get the fast notification that your defenses have failed.

That’s where a honeypot comes in: One or more of these should be your EWS (early warning system). Forget about giving the hacker (or malware) a realistically fake environment to hack around in (called "high-interaction" in honeypot parlance). As a non-production asset, nothing should ever touch the honeypot -- that way, if something touches it, probes it, port scans, or tries to log on to it, you'll know it's malicious, and you can capture as much information as possible from the initial contact. When something connects, the honeypot should immediately alert the security first responder, preferably by sending out a page or SMS alert, or by automatically creating a help desk ticket.

An EWS honeypot should detect and alert, and alternately log and report. In order to detect, the honeypot needs to initialize a listening service on the ports that a hacker or malware program will be likely to visit. For a Windows honeypot, that would include TCP ports 135, 137-139, and 445. A Unix/Linux host might want to have ports 22, 111, and RPC ports to mimic services running in the host environment.

You’ll often hear people say that honeypots never have false positives. This is patently untrue, especially inside the network. Usually, I have to fine-tune the honeypot not to alert on normal broadcast traffic and tell my network management software to skip the honeypot. (Otherwise, my honeypot might alert when the patch management software tries to push out a new software update or when the anti-virus gateway server tries to deliver an updated signature.)

There are many ways to set up a honeypot. You can take an old machine and install a copy of your default OS on it. Because the system is a real OS, most hackers won’t be able to tell that it is a honeypot, even if you do nothing special to it other than install detecting and alerting mechanisms.

Some people use virtual machine software (such as VMware or Virtual PC) to create honeypots. The benefit here is quick resets and clean-up, but VM honeypots are subject to being detected as VM, and hence identified by a hacker as a possible honeypot.

Luckily, this worry is lessening as more shops virtualize their production machines. But a bigger threat is the fact that any real OS gives the hacker a real target to exploit and could lead to unintended consequences, so more and more administrators are turning to specialized honeypot software.

Hands down the best honeypot product, especially for the Windows crowd, is KeyFocus’ KFSensor. KFSensor is feature-rich and frequently updated. The fully featured version is $990, but a new standard version will sell for much less. I don’t have enough space here to elaborate on KFSensor, but if you want the best, spend the money. The only two detractions are that it doesn’t emulate the TCP/IP stack at the lowest levels (a fact that doesn’t really matter for an EWS honeypot) and that only a finite number of listening ports can be active at any one time.

Open source Honeyd is the most versatile honeypot software. Like many open source products, it is mostly command line-based, takes lots of reading to understand, and takes even more trial and error to get it right.

Developed for the Unix/Linux crowd, it comes in a Windows flavor, but the Windows version is old and buggy -- you’re better off learning Linux from scratch than using the Windows version. Honeyd is a very flexible honeypot, but it must be cobbled together from scratch, and more sophisticated emulations, such as NetBIOS, aren’t easy at all.

Other honeypots to consider are Alkasis' PatriotBox (Windows-based, GUI, $40, not nearly as feature-rich as KFSensor, but a good value), and Specter  (Windows-based, GUI, $899, contains many unique features not seen elsewhere).

For more information and details on honeypots, visit http://www.honeynet.org and http://www.honeypots.com.