Re: Know your enemy, Virtual Honeynets, Yet more information

From: Benjamin M.A. Robson (ben@robson.ph)
Date: 08/21/02 

Date: Wed, 21 Aug 2002 15:20:37 +1000
From: "Benjamin M.A. Robson" <ben@robson.ph>
To: Nicholas Bachmann <nbachmann@mail.davison.k12.mi.us>

Nicholas,

OK. The intent of my commentary was not to belittle the efforts of the various
honeypot(net) projects around, or to suggest they are not useful in some cases. I linked
my comments to this article, as it was a source of yet more data.

<snip..snip>

>> The critical issue now is we have too much information. We have logs
>> that require analysing from the firewall(s), the IDS sensor(s) and not
>> the honeynet device(s).
>>
> Honeynet logs really don't require much effort until something is
> compromised except spending 5 minutes to make sure everything looks
> hunky dory.

I would dispute this statement. Any system, be it a windows workstation or a SAMBA file
server requires a minimum amount of attention (per maintenance cycle). A honeypot system
WILL add more administrative overhead.

In regards to honeypot logs I would suggest that unless you are paying close, regular
attention to the victim machines then you are not getting any real value out of the
honeypot. If an attacker is successful, and root-kits your machine, unless you are
looking closely at it you will not know until all sorts of evil stuff is happening (warez
server/porn site/etc...). My point was that unless you ARE spending a great deal of time
looking at logs, and system files, then you are not getting the real value from the
honeypot. If you are looking at part of it, you are only getting part of the information,
and as such there is a good chance anything you do learn is wrong and/or incomplete.

Hence I would say that unless you can spend ALL of the time required to do regular, full
analysis of the systems then the systems are likely to be more trouble than they're worth.

<snip..snip>

>> The vast majority of people who are responsible for an organisation's
>> information security ARE NOT security professionals, and ARE NOT full
>> time, dedicated, security staff. They are usually over-worked, under-
>> appreciated systems administrators, who struggle enough as it is
>> getting useful information out of flaky users, and flaky vendors. So
>> the concept of spending multiple hours in a day analysing information
>> from firewalls, IDS sensors and honeynet devices is preposterous.
>>
> Well, a few things here, in reverse order. If it takes hours to review
> your logs, you probably need somebody to do security at least part time
> (that's what I do, it works out pretty well; you get to interact with
> the network you monitor, which gives you a good feel of the network) or
> you might as well log to /dev/null. Next, remember that Honeynets are
> really only useful in the hands of trained professionals. As conceited
> as it sounds, if you don't know how to work the tools and look at the
> data, it's not going to do much good (except as a tool to become a
> trained professional) for anybody.

Please don't take this the wrong way, but this actually supports my case about security
professionals. The REALITY is that the majority of people charged with an organisations
security ARE NOT trained in security, or hired to do that task as their primary objective.
  The reason the organisation is asking the poor systems administrator to do this is
because the organisation can either NOT AFFORD a full time security professional, or can
not be convinced of the need.

I know plenty of organisations that produce MB of logs each day, have 10 or more full time
system administrators, but do not have, nor will be getting in the foreseeable future, a
full time security professional.

Relevant Pages

  • [NEWS] Nokia IPSO Script Injection Vulnerability
    ... Get your security news from a reliable source. ... Nokia Network Voyager is "an SSL-secured, ... After the malicious code is successfully injected into the logs, ...
    (Securiteam)
  • R: Fwd: Centralizing Event Viewer Logs
    ... workstation event logs all at once you can be alerted. ... If we want to start comparing enterprise products, ... Infrastructure Engineer - Security ... CONFIDENTIALITY NOTICE: This email may contain confidential and ...
    (Focus-Microsoft)
  • Re: Any personal Intrusion Detection Systems
    ... > logs" and could profit from some elaboration. ... > 'security' product from _any_ vendor that addresses all of them. ... you're right on again about clueless "support desk" techs. ... "utility" apps with open ports, etc, that I was aware of. ...
    (comp.security.firewalls)
  • RE: Vulnerabilites in new laws on computer hacking
    ... To learn computer / network security is expensive and the materials are costly in a lot of situations. ... Vulnerabilites in new laws on computer hacking ... difference between these two types of attacks but I don't think that judges ... create a generation of ignorant security professionals. ...
    (Bugtraq)
  • Hacked?
    ... Event Source: Security ... Domain Policy Changed: Password Policy modified ... according to the logs no one with authority to make such a change was logged ... with privelage to change local security policies was logged in at the time. ...
    (microsoft.public.inetserver.iis.security)