Sunday, September 9, 2007

The Honeynet Project: FAQs

http://www.honeynet.org/

1. Why are you guys doing this?
Because we want to make a difference. Its our goal that the concepts, information and tools that we provide (at no cost) will help improve the security of the Internet. Often people think its odd we put so much time and effort into our work and then share everything with the public (not a very good business model :). We wouldn't have it any other way.

2. Why are you publishing everything you do, doesn't that give the badguys the advantage?
Yes, this does give the bad guys an advantage. By sharing all of our tools, techniques, and research, the bad guys know what we are up to and can develop counter measures. In many ways, its like us showing our hands in a game of poker. However, keep in mind, our goal is not to catch attackers. Instead, our goal is reasearch, and share that research to help others. The best way to develop that research is share with and learn from others, the security community. That is why we will always be an OpenSource organization.

3. What is the difference between a honeypot and a honeynet?
A honeynet is one type of honeypot, specifically a high-interaction honeypot that provides real systems for attackers to interact with. A honeypot is a system who's value is being probed, attacked, or compromised, you want the bad guys to interact with your honepyot. There are many different kinds of honeypots, with many different uses and values. To learn more about honeypots, check out the paper Honeypots and the book Honeypots: Tracking Hackers. To learn more about honeynets, please review the paper Know Your Enemy: Honeynets or a 2 minute online video that explains the concepts for you. The movie in Apple QuickTime format, 35MB.

4. What do you do to attract threats to your honeynets?
Usually nothing. Normally we simply deploy systems on a dedicated Internet connection then sit back and wait. Many threats are extremely active you would be surprised at what activity you will find. However, the drawback to this approach is you only capture active threats, such as worms, automated tools, or Botnets, While these threats are common to everyone with an Internet connection, it does not represent the more advance clientele.

5. What about advanced blackhats, have you captured their activity?
No. The vast majority of activity the Honeynet Project captures is mainly automated threats. These are individuals, organizations, or automated tools (such as worms) that randomly scan millions of systems for known vulnerabilities, then attack anything then find vulnerable. In general, these threats are motivated to compromise as many systems as possible, often to make money. We have captured very little on advance threats, individuals who target specific systems of high value.

6. Once compromised, can't the bad guys use one of your honeypots to attack someone else?
Potentially yes. We have developed tools and techniques to mitigate this threat, but the risk exists. We use several layers of access control devices that limit and control what type of outbound connections are allowed, and how many. To learn more about these measures, refer to the paper Know Your Enemy: Honeynets.

7. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.

8. Aren't honeypots a form of entrapment?
No. To learn more why, read the legal chapter from our new book, which is available for free at our Book site.

9. Do you have a maillist I can join?
The Honeynet Project does not maintain a public maillist. Instead, we highly recommend the public Honeypot maillist. This public forum is dedicated to the discussion of honeypots and honeypot related technologies. Honeynets are nothing more then one type of honeypot.

10. How can I join or become involved with the group?
There are several ways you can become involved.
The Honeynet Research Alliance. This is a group of organizations actively researching honeynet technologies. Any group is welcome to join, however we recommend you first review the Alliance charter. A third option is to join the Honeypot maillist. This list is made up of community members interested in learning more about honeypot technologies, and how to apply them to information security.

11. How do I get started in the security field?
The security field is relatively new, there really is no set path to becoming a security professional. Doctors, laywers, accounts, all these fields have predetermined paths, courses, and certifications defining how you get started within these professions. Security is different in that there is no real defined path that we know of. So, part of the challenge to you is defining it your self.
We recommend that you start by learning as much as you can technically. Your degree is not so much important here as what you can learn on your own (many of the Honeynet members have History or Philosophy degrees). Read computer/security related books, they are excellent for establishing a foundation in security fundamentals. Join security maillists, this is an excellent way to stay current and interact with fellow security professionals. Read whitepapers, such as the ones posted at LinuxSecurity.com, SecurityFocus.com, and SANS Reading Room. Attend security conferences such as SANS, Blackhat, or CanSecWest. Finally, build your own lab. Having access to your own systems is one of the best ways to learn. Reading about technologies is one thing, but playing with and understanding them is another. The more mistakes you make in your lab, the faster you learn. The next step is to take this technical background and use it. Find any place that will utilzie these skills. Remember, some of the best security professionals have system administration and networking backgrounds. Learn the basics first. One you have accomplished these issues, opportunities will happen. Last, we highly recommend you volunteer and help organizations, such as with their webserver, developing whitepapers, or just teaching folks about new threats or security tools. The more you give to the community, the more the community gives back. Thats what the Honeynet Project is all about.

http://www.honeynet.org/

No comments: