Honeypots as an early warning system

I often recommend that my clients set up and use a honeypot, and not just because my last book was entitled Honeypots for Windows. Honeypots are any non-production computer asset set up only as a target for hackers and malware. A honeypot is usually a PC, but it could be a Cisco router, Ethernet switch, or HP JetDirect card.

Many people think honeypots are non-necessary devices used by security administrators to track uberhackers. And while that’s partially true, today I recommend that every company use one or more honeypots.

Why, you ask? Because all computer security defenses will fail. Your firewall will fail. Your anti-virus software will fail. Your IDS and all of your employee education will fail, if not once a year, then several times. That being the case, step two is to get the fast notification that your defenses have failed.

That’s where a honeypot comes in: One or more of these should be your EWS (early warning system). Forget about giving the hacker (or malware) a realistically fake environment to hack around in (called "high-interaction" in honeypot parlance). As a non-production asset, nothing should ever touch the honeypot -- that way, if something touches it, probes it, port scans, or tries to log on to it, you'll know it's malicious, and you can capture as much information as possible from the initial contact. When something connects, the honeypot should immediately alert the security first responder, preferably by sending out a page or SMS alert, or by automatically creating a help desk ticket.

An EWS honeypot should detect and alert, and alternately log and report. In order to detect, the honeypot needs to initialize a listening service on the ports that a hacker or malware program will be likely to visit. For a Windows honeypot, that would include TCP ports 135, 137-139, and 445. A Unix/Linux host might want to have ports 22, 111, and RPC ports to mimic services running in the host environment.

You’ll often hear people say that honeypots never have false positives. This is patently untrue, especially inside the network. Usually, I have to fine-tune the honeypot not to alert on normal broadcast traffic and tell my network management software to skip the honeypot. (Otherwise, my honeypot might alert when the patch management software tries to push out a new software update or when the anti-virus gateway server tries to deliver an updated signature.)

There are many ways to set up a honeypot. You can take an old machine and install a copy of your default OS on it. Because the system is a real OS, most hackers won’t be able to tell that it is a honeypot, even if you do nothing special to it other than install detecting and alerting mechanisms.

Some people use virtual machine software (such as VMware or Virtual PC) to create honeypots. The benefit here is quick resets and clean-up, but VM honeypots are subject to being detected as VM, and hence identified by a hacker as a possible honeypot.

Luckily, this worry is lessening as more shops virtualize their production machines. But a bigger threat is the fact that any real OS gives the hacker a real target to exploit and could lead to unintended consequences, so more and more administrators are turning to specialized honeypot software.