Re: RES: Protocol Anomaly Detection IDS - Honeypots

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 02/22/03

  • Next message: Golomb, Gary: "30-ish page whitepaper"
    From: Frank Knobbe <fknobbe@knobbeits.com>
    To: Mike Shaw <mike@shawnuff.net>
    Date: 21 Feb 2003 18:33:17 -0600
    

    On Fri, 2003-02-21 at 10:54, Mike Shaw wrote:
    > >For example, you create a word document that has the title of payroll
    > >or 'research and development'. You put whatever fluff you want
    > >in the
    > >document, and give it a "tracking number", such as 14A8478bG98734T90AAZ.
    > >
    >
    > This is something I've been doing on my production networks for a couple years now, but at more than the wire level.
    >
    > Think:
    > Excel spreadsheets of bogus usernames and passwords.
    > Fake info being passed over AIM and other cleartext protocols on a hub.
    > Bogus customer records in a banking app.
    > Bogus hosts in host lists.
    > File names that should never be in a directory scan.
    > False DNS entries such as "accounting.domain.com"
    >
    > The possibilities are endless.

    Yes, they are. When discussion this, we have to be careful to not
    overstep the fine line that differentiates the honeytoken idea with a
    copy-bug or deception-pools.

    A copy-bug is a marker embedded in a document that lets you identify an
    illegal copy. Most widely used are grammatical or typographical errors.
    If someone reproduces a document titled 'The Delcaration of
    Independence' you can spot because you know that you marked it with that
    typo.

    A deception pool is a stash of falsified documents (think research data)
    amongst which you hide the real document. Imagine a folder called
    Research with the files Result00001.doc until Result99999.doc. Only
    Result77453.doc contains the real result.

    Copy-bugs can be tracked just like you would zoom in on a honeytoken,
    but they do not attract like a honeypot. A deception-pool provides a lot
    of false info, just like a honeypot/honeytoken, but again does not
    attract. Honeypots, while providing false info, attract the hacker so we
    can learn about their techniques.

    Don't get me wrong, the idea of honeytokens it great. But we have to be
    careful that don't give an old horse a new name.

    Cheers,
    Frank