Honeypots as an early warning system

16.12.2005
I often recommend that my clients set up and use a honeypot, and not just because my last book was entitled Honeypots for Windows. Honeypots are any non-production computer asset set up only as a target for hackers and malware. A honeypot is usually a PC, but it could be a Cisco router, Ethernet switch, or HP JetDirect card.

Many people think honeypots are non-necessary devices used by security administrators to track uberhackers. And while that's partially true, today I recommend that every company use one or more honeypots.

Why, you ask? Because all computer security defenses will fail. Your firewall will fail. Your anti-virus software will fail. Your IDS and all of your employee education will fail, if not once a year, then several times. That being the case, step two is to get the fast notification that your defenses have failed.

That's where a honeypot comes in: One or more of these should be your EWS (early warning system). Forget about giving the hacker (or malware) a realistically fake environment to hack around in (called "high-interaction" in honeypot parlance). As a non-production asset, nothing should ever touch the honeypot -- that way, if something touches it, probes it, port scans, or tries to log on to it, you'll know it's malicious, and you can capture as much information as possible from the initial contact. When something connects, the honeypot should immediately alert the security first responder, preferably by sending out a page or SMS alert, or by automatically creating a help desk ticket.

An EWS honeypot should detect and alert, and alternately log and report. In order to detect, the honeypot needs to initialize a listening service on the ports that a hacker or malware program will be likely to visit. For a Windows honeypot, that would include TCP ports 135, 137-139, and 445. A Unix/Linux host might want to have ports 22, 111, and RPC ports to mimic services running in the host environment.

You'll often hear people say that honeypots never have false positives. This is patently untrue, especially inside the network. Usually, I have to fine-tune the honeypot not to alert on normal broadcast traffic and tell my network management software to skip the honeypot. (Otherwise, my honeypot might alert when the patch management software tries to push out a new software update or when the anti-virus gateway server tries to deliver an updated signature.)