is a computer that has been designated as a target for computer attacks. The purpose of a honey pot is to allow itself to succumb to an attack. During the process of "dying," the system can be used to gain information about how attacks develop and what
Honey pot systems are not normally secured or locked down. If they came straight out of the box with an operating system and applications software, they may be configured as is. Elaborate honey pot systems can contain information and software that might entice an attacker to probe deeper and take over the system. In fact, if not configured properly, a honey pot system can be used to launch attacks against other systems.
There are several initiatives in the area of honey pot technology. One of the more interesting involves a project called honeynet. This organization has created a whole synthetic network that can be run on a single computer system and is attached to a network using a normal NIC card. The honey- net system looks like an entire corporate network, complete with applications and data, all of which are fake.
Additional information is available on the honeynet project by visiting: www.project.honeynet.org .
As part of the honeynet project, the network was routinely scanned, worms were inserted, and attempts were made to contact other systems to infest them—all of this occurred in a three-day period. At the end of Day Three, the system (a Windows 98 system) had been infected by no fewer than three worms. This was done without any advertising by the honeynet project.
Before you even consider implementing a honey pot or a honeynet-type project, you need to understand the concepts of enticement and entrapment .
is the process of
While enticement is acceptable, entrapment is not. Your legal liabilities are probably pretty small, in either case, but you should seek legal advice before you implement a honey pot on your network. You may also want to contact law enforcement or the prosecutor's office if you want to
refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident. Simply, an
is the occurrence of any event that endangers a system or network. Two types of incident responses need to be discussed: internal incidents and incidents involving law enforcement professionals. Figure 4.15 illustrates the interlocked relationship of these processes in an incident response. Notice that each of the steps, including the first step, is
Figure 4.15: Incident response cycle
The first type of incident response will be discussed here. Bringing law enforcement into the picture will be discussed in Chapter 10, "Security Management." In either event, it is a good idea to have the procedures that you will
Law enforcement personnel are governed by the rules of evidence, and their response to an incident will be largely out of your control.
You need to
Words matter. The
Incident identification is the first step in determining what has occurred in your organization. An internal or external attack may have been part of a larger attack that has just surfaced, or it may be a random probe or scan of your network.
An event is an IDS-triggered signal. Operations personnel will determine if an event becomes an incident.
Many Intrusion Detection Systems will trigger false positives when reporting incidents. False positives are simply events that are not really incidents . Remember that IDS is based on rules and attack signatures. If the rules are not set up properly, normal traffic may set off the analyzer and generate an event. You do not want to declare an emergency, unless you are sure you have one.
One of the problems that can occur with manual network monitoring is overload. Over time, a slow attack develops which slowly
In the manually
Once you have determined that you indeed have an incident on your hands, you need to consider how best to handle it. This process, called
, involves consulting policies, consulting appropriate management, and determining how best to conduct an investigation into the incident. You want to make sure that the
A key aspect, often overlooked by systems professionals, involves information control. When an incident occurs, who is responsible for managing the communications about the incident? Employees in the company may naturally be
The process of investigating an incident involves searching logs, files, and any other sources of data about the nature and scope of the incident. If possible, you want to determine if this is part of a larger attack, a random event, or a
. False positives are very common in an IDS environment, and they may be merely the result of unusual traffic in the network. It may be that your network is being pinged by a class of computer security students to
You are the network administrator of a small network. This network has an old mail server that is used for internal and external e-mail. You periodically investigate log and audit files to determine the status of your systems and servers. Recently, you noticed that your e-mail log file has been reporting a large number of undeliverable or bounced e-
For starters, you may have one or more viruses or worms in your system. This type of virus sounds like an SMTP virus. Outlook and Outlook Express are the most popular virus spreaders in use today. A virus, such as the Klez32 virus, can gain access to the address directory and propagate itself using SMTP.
You should investigate why the antivirus software is out-of-date, upgrade these systems as appropriate, and add server-based and mail-server virus protection capabilities to your network.
One of your first considerations is to determine how to restore access to resources that have been compromised. Then, of course, you must reestablish control of the system. Most operating systems provide the ability to create a disaster recovery process using distribution media or state files of the system.
Once a problem has been identified, what steps will you take to restore service? In the case of a DoS attack, a system reboot may be all that is required. Your operating system manufacturer will typically provide detailed instructions or documentation on how to restore services in the event of a loss.
If a system has been severely compromised, as in the case of a worm, it may not be possible to repair the system. It may need to be regenerated from scratch. Fortunately, antivirus software packages can repair most of the viruses you encounter. But what if you encounter something new? You may need to start from scratch with a new system. In that case, you might be highly advised to do a complete disk drive format or
A virus recently hit a
He probably has contracted a worm that has infected the systems files in his computer. You should help him back up his user files to a removable media. Then you should completely
During the entire process of responding to the incident, you should be documenting the steps that have been taken to identify, detect, and repair the system or network. This information is
You may also want to inform the software or systems manufacturer of the problem and how you corrected it. Doing so may help them
Once the incident has been successfully managed, it is a worthwhile step to
Answering simple questions can sometimes be helpful when you are resolving problems. Stated questions in a policy or procedure manual might include:
How did the policies work or not work in this situation?
What did we learn about the situation that was new?
What should we do differently next time?
These simple questions can help you adjust procedures. This process is called a post mortem , and it is the equivalent of an autopsy.