The Honeypots in the Honeynet
To learn more about the blackhat community, our honeypot systems were usually default installations of commonly used systems. We did nothing to secure these systems, but we did nothing to make them more insecure, either. Our goal was to use systems commonly found on the Internet. Many organizations feel that they are not at risk and do little to protect or to secure their systems. It was these very organizations that we hoped to prove wrong. By demonstrating the tools, tactics, and motives of the blackhat community, we hoped not only to learn but also to raise awareness. Many organizations also feel they have nothing of value to be compromised. As you will soon learn, these are the very organizations that many blackhats target.
The honeypots we have used are default installations of Red Hat Linux, Windows 98 desktop, Windows NT server, and Solaris server. We then proceeded to build these systems, using default parameters and keeping customization to a minimum. During the entire build and installation process, we selected default parameters. Nothing was done to make the systems more secure. Many security professionals would consider these systems insecure, and they are correct. Most default installations of an operating system are highly insecure, especially if no measures are taken to harden them. Unfortunately, these very same default installations are a high percentage of systems connected to the Internet. Many organizations take no measures to secure their systems, believing that they are secure or not realizing their exposure to risk. It is these very organizations that the Honeynet Project has tried to replicate. For organizations that do secure their systems, the lessons learned here still apply. As you will soon learn, regardless of who you are and where you are located, the blackhats will find you. All it takes is one mistake or an unknown vulnerability, and your organization can be compromised.
Some people have questioned whether this technique is entrapment. Systems purposely intended to be compromised could be considered an attempt to entrap the blackhat community. However, we firmly believe that a Honeynet is not a form of entrapment, for the following reasons.
The intent of the Honeynet is not to catch bad guys but only to learn from them. Activity within the Honeynet is captured and analyzed and is not used to prosecute. At certain times, members of the law enforcement community have been informed of our findings. However, this information is not used to prosecute individuals.
Systems in the Honeynet do not differ from those in many production environments. The only difference is that the data entering and leaving the Honeynet is more closely studied. If the Honeynet is considered a form of entrapment, then so too would many production networks found on the Internet.
The Honeynet Project does not do anything to attract the blackhat community to our machines. We do not actively advertise their existence or lure people into accessing them. Blackhats actively find and compromise these systems on their own initiative. You will be amazed at how aggressive blackhats can be.
Honeynets do have their limitations. They are primarily a tool to learn, to be used for research and intelligence gathering. They are not the ultimate solution to all your security problems. We, the Honeynet Project, highly recommend that you first focus on securing your existing environment, using security best practices, such as applying patches, eliminating unneeded services, and reviewing your system logs. It is these day-to-day mundane but critical procedures that are vital to any organization's security. Once such standards have been met and are part of your everyday procedures, a Honeynet can add value to an organization. Meanwhile, the Honeynet Project hopes to continue its research and to share its lessons learned.