Introduction
Arguably one of the most epic accomplishments of the 21st century was the invention of the computer and the subsequent creation of the internet. These two entities have virtually transformed the world as far as information processing and communication is concerned. Organizations have extensively employed the use of computer systems as efficient global communications became the defining attribute of successful organizations. However, these advancements have also increased the frequency and sophistication of computer crimes. It is therefore imperative that countermeasures be developed to detect and prevent these attacks. The key to fulfilling these countermeasures is the gathering of information on vulnerabilities and gaining an insight into the strategies employed by attackers. Presenting prospective attackers with honeypots which are the easy target that is in fact traps is one of the tools that is been utilized to enable covert monitoring of intruders. This paper argues that Honeypots and Honeynets are an effective method to identify attackers, system vulnerabilities, and attack strategies, therefore, providing a basis for improved security as well as catching attackers. The paper shall provide a detailed description as to the benefits of this method and its subsequent implementation. The legal issues that surround the use of honeypots and honeynets shall also be addressed so as to determine how one can make use of these tools within the legal framework of our country.
Honeypots and Honeynets: a Brief Introduction
A honeypot is defined by Lance Spitzner as “a security resource whose value lies in being probed, attacked or compromised”. (Pouget, Dacier & Debar, 2003; Spitzner, 2002). As such, a honeypot is a device that is exposed on a network with the aim of attracting unauthorized traffic. A honeynet on the honeyn is simply a network of honeypots with a firewall attached to it. Once the system is compromised by an intruder attack, data is collected on this unauthorized access so as to enable the studying of the same so as to learn about the latest trends and tools used by intruders as well as help in tracing back the traffic to the intruders computer. Since the value of a honeypot lies in its being “compromised” by an attacker, It makes sense to make it look not only enticing but also authentic to a hacker. A honeynet will therefore consist of standard production systems that may be found within a real organization and generally several computers as with a real intranet. Operating system emulators such as VMware can be utilized to simulate several computer systems in one physical system (Krasser, Grizzard & Owen, 2005).
Types of honeypots
Honeypots can be categorized into two broad groups: production honeypots and research honeypots. The difference between the two categorizations springs from the role that the honeypot plays in a system. Production honey-phoneypotsed to avert risk to organizational resources by presenting a kind of “red-herring” for the intruders to compromise. Research honeypots on the other hand are meant to gather as much information from attackers as possible. Production honeypots assist in mitigating the risk that organizations face and provide evidence of malicious attempts which may be used in a court of law. Research honeypots are an excellent tool to use as a basis for validating an organization’s security setup since potential threats and risks are assessed to enable administrators to make the best security decisions.
How Honeypots Work
An important point to note is that honeypots are not designed to prevent a particular intrusion but rather, their objective is to collect information on atta, therefore, ore enabling administrators to detect attack patterns and make necessary changes in their system so as to protect from attacks on their network infrastructure. A honeypot device is placed openly with the aim of attracting unauthorized activity. The defining characteristic of honeypots is the level of involvement that they afford the attacker. A low-involvement honeypot (also referred to as a low-interaction honeypot) only emulates systems and services running (Carter, 2004). This kind of honeypot does not provide a real OS for the attacker to operate on thus greatly reducing the amount and significance of the data captured from the intruder. Low interaction honeypots can offer information such as the date and time of the attack and the IP address of the attackers. However, their effectiveness is limited only to already discovered attack patterns. The other kind of honeypot is the high-involvement honeypot. This honeypot makes the entire OS along with installed services accessible to the intruder(Carter, 2004). This unlimited access allows for more data to be captured and subsequently analyzed.
Technical implementation
The type of honeypot that is implemented is highly dependent on the objective of an organization as well as the amoresourcesesource they have at their resources. Law enforcement agencies require a lot of data so as to reconstruct the aattacker’smotives and identity and as such, a high-interaction honeypot may be utilized. The agencies also have the resources necessary to finance and maintain this system. Corporations may not need to capture as much data and therefore, a low-level honeypot that isbothh easy to set up and provides limited danger may be preferred.
In ma ost implementation, a single physical machine running multiple virtual operating systems is utilized. Carter (2004) suggests that the honeypot servers should be unsecured to allow the intruder free reign over the system. To track the activity of the intruder, detection tools such as Snort can be utilized to analyze the types of traffic received. One of the setbacks of honeypots is that outgoing traffic cannot be limited. As such, an attacker can use the system to carry out DOS attacks with legal consequences for the honeypot user. as such, placing a firewall in front of the honeypot is vital to ensure that the outbound traffic is controlled thus lowering the risk posed by a hostile take over of the honeypot. VMware is the software that is favored in setting up multiple virtual systems so as to mimic a real network setting.
Benefits of honeypots
Honeynets present a myriad of benefits for an organization or institute which employs them. By the use of honeynets, an administrator is able to detect other compromised systems on the network (Krasser, Grizzard & Owen, 2005). This is possible since attackers use the honeypot as a starting point to hijack other systems. By having the honeynet log files analyzed, one can trace out the path that the attacker used and end up at the other system that was possibly compromised by the intruder.
Honeypots enable an organization to carry out research into the threats that it may face. As such, questions such as who is the attacker and what kind of tools they use in their attacks can be answered. This will enable the IT security branch of the organization to better understand their potential threats thus increase their preparedness and their defense mechanisms.
A production honeypot acts as an easy target therefore distracting the intruder from attacking the real organizations system. This gives an organization some form of protection since the potential attacker compromises the more enticing honeypot therefore leaving the organizations system unscathed. In addition to this, the organization can use the production honeypot to positively identify the attacker. If this information has been lawfully obtained, it can be used to criminally prosecute the attacker in a court of law.
Challenges
Despite the numerous merits that may be reaped from the use of honeypots by an organization or individual, running of this tools comes with its inherent problems. Loss of control over the honeypot by the controller can render the honeypot unbeneficial since its main purpose is to capture unauthorized activity. If an attacker can succeed in infiltrating the system without being notice, then there is a flaw in the device and it is unbeneficial to the owners.
Since honeypots are correlated with the host operating system, there is always the danger of an attacker breaking out from the virtual environment and into the host operating system (Baumann & Plattner, 2002). This will result in the attacker having access to data and resources that are vital to the organization and he/she can therefore compromise the entire system leading to losses.
Baumann and Plattner (2002) affirm that the effectiveness of honeypots can be greatly impeded when encrypted connections are employed by the attacker. while logging and listening in on unauthorized traffic is still possible even when the connection is encrypted, deciphering of what is captured in the attackers packets is at times impossible. In some cases, an attacker can take over the entire system thus rendering the administrator helpless. The attacker can then proceed to utilize the system resources available to him to launch attacks on other systems. This attacks e.g. Denial of Service attacks on other networks can result in the damages to a third party’s network (Krasser, Grizzard & Owen). The consequences for such errors can be costly as the honeypot owner can be held legally liable for the attack and therefore forced to compensate the third party.
Legal Issues
The use of honeypots presents a number of legal issues to both person or organization that implements them. One of the core legal issues that arises from honeypot usage is the issue of Entrapment. Spitzner (2006) defines entrapment as the act by a government agent to induce a person to commit a crime by fraudulent means or unwarranted induction so as to criminally prosecute the person. As such, an attacker who is taken to court as a result of compromising a honeypot can argue that he were induced to commit the crime thus nullifying the evidence contained in the honeypot logs.
The issue of privacy which is prevalent in the Information Technology spheres is also applicable with the use of honeypots. Honeypots can be configured to capture the content data of a transmission. These data has privacy issues attached to it and therefore, collection and use of the same may be a violation of the transmitter’s privacy. Spitzner(2006) suggests that placement of banners that obligate individuals to consent to monitoring thus wavering their rights to privacy is a one of the ways in which monitoring in a system can be legitimized.
Honeypots can also lead to attacks on third parties by use of the honeypot as the platform of attack. This presents a legal situation since the owner of the honeypot will be held responsible for the attack even though it was an attacker who utilized the honeypot to attack another persons system. Baumann and Plattner (2002) assert that it is the honeypot owner’s responsibility to ensure that no harm is caused on third parties as a result of their honeypots.
Conclusion
The IT arena is ever evolving and as its effectiveness increases, so do the risks. Preventive and detective measures should therefore be employed to improve security. This paper set forth to illustrate that honeypots can be used to identify and catch security threats as well as identify vulnerabilities in an organizations network system. It has been demonstrated that honeypots can be used to identify attackers and take legal action against them. However, while honeypots do present a versatile tool for revealing the identity of attackers and prosecuting them in a court of law, law enforcers should be careful to ensure that the information they obtain does not infringe on the rights of the individual thus making it inadmissible in court.
While honeypots are an important weapon in the IT security personnel’s arsenal against attackers, it is clear from this paper that they do not protect the computer infrastructure of an organization from attacks. It is therefore prudent for organizations to invest in security measures such as firewalls and antivirus softwares and adhere to best security practices so as to safeguard the system. Having done this, organizations and individuals alike can make thrive from the numerous benefits that computer networks present to us.
References
Baumann, R. & Plattner, C. (2002). White Paper: Honeypots. Web.
Carter, W. L. (2004). Setting up a Honeypot Using a Bait and Switch Router. Web.
Krasser, S., Grizzard, B. J. & Owen, H.L. (2005). The Use of Honeynets to Increase Computer Network Security and User Awareness. Haworth Press. Web.
Pouget, F., Dacier, M. & Debar, H. (2003). White Paper: Honeypot, Honeynet, Honeytoken: Terminological Issues. Web.
Spitzner, L. (2006). Honeypots: are they Illegal? Web.