When you think about the layers of security your business needs, you probably think about firewalls, authentication systems, intrusion prevention, antivirus, and other common security controls. However, I suspect few think about honeypots. Thatís a shame, as honeypots make perfect network security canaries, and can improve any organizationís defense.
As an infosec professional, youíve probably heard of a honeypotóa digital trap set to catch computer attacks in action. In essence, honeypots are systems that mimic resources that might entice an attacker, while in reality theyíre fake systems designed to contain and monitor attacks. In the same vein, a honeynet is just a collection of different honeypots.
There are many different varieties of honeypots, each designed to recognize and observe diverse types of attacks. Some catch network attacks (Honeyd), others catch web application attacks (Glastopf), and some are designed to collect and observe malware (Dionaea). You can check out The Honeynet Project for a fairly complete list of different kinds of honeypots.
These different honeypots also have varying levels of depth. For instance, a low-interaction honeypot might just emulate basic network services, perhaps only presenting a service banner and command prompt, but not offering much interaction to potential attackers (making them easier for attackers to detect). Whereas, high-interaction honeypots can imitate full server systems, tricking hackers into carrying out their attacks further, allowing you to analyze them in depth.
With all the different varieties to choose from, each with varying levels of capability, honeypots might sound a little over complicated and perhaps too cumbersome for a small organization. In fact, some of the research-focused ones are certainly overkill for anyone but security academics. However, you donít need the most complex feature-packed honeypot for our simple purpose.
A production honeypot is a relatively low maintenance system, primarily used to detect attacks (rather than fully emulate and analyze them). Production honeypots make great network canaries. Over the years, production honeypots have evolved and become much easier for the average Joe to deploy. While most honeypots began as command line Linux packages, requiring manual installation and configuration, new solutions have surfaced making these packages more user-friendly, even for Linux newbies.
For instance, lately a number of Live CD distributions have come out specifically made for honeypots and honeynets. Rather than having to install a Linux distribution (distro) from scratch, and configuring everything yourself, these live honeypot distros have everything set up and ready to go. All you have to do is boot from a USB key or spin-up a virtual machine. Best of all, these honeypot distros are free. Three great examples include: HoneyDrive, Active Defense Harbinger Distribution (ADHD) and Stratagem.