Advantages and Limitations of Traps and Deceptive Measures

Regardless of the particular instantiation, traps and deceptive measures offer both advantages and disadvantages. This section of the chapter considers both.

Advantages

In the broadest sense, traps and deceptive measures deserve consideration because they represent a departure from traditional information and computer/information security countermeasures. Many security professionals are convinced that these traditional measures, such as password policies, password filters, system auditing, and so on, have lost much of their luster and effectiveness over time. Too often, attackers ' strategies for attacking systems and networks are successful on the first try. If we could understand the behavior of perpetrators as they engage in unauthorized activity, however, we might be able to provide appropriate countermeasures. Traps and deceptive measures are particularly promising in this regard. Consider the potential benefits discussed in the following sections.

Providing a Moving Target

Traps and deceptive measures, in effect, can provide a moving target for attackers. A victim host on one day might be a bogus host the next day. A legitimate service, environment, or command can be changed. Attackers must now modify their goals and targets if they are to be successful in their efforts.

Increasing the Time and Work Factor Associated with Attacking Systems

In what is already widely regarded as the definitive paper on honeypots, Douglas Moran points out that attackers often allocate a certain amount of time to each target in an attempt to lower the probability of being detected . ^[3] If attackers spend their time in confusion or misdirection by reaching a bogus server, service, application, directory, and so on, time is more likely to run out. Additionally, if attackers have to discriminate between what is real and what is bogus as they engage in their efforts, the work factor is likely to increase. The likely result is fewer systems attacked and quite possibly fewer successful attacks.

^[3] Moran, Douglas."Effective deployment of honeypots against internal and external threats." Information Security Bulletin , 2000,Vol. 5, Issue 8, pp. 27 ‚ 34.

Reducing the Potential for Damage

In World War II, fighting forces launched drones, decoy aircraft designed to draw fire away from normal aircraft. Various forms of deceptive measures can serve as virtual drones that help keep attackers away from valuable systems, services, and resources. Similarly, deploying decoy servers, services, and resources can also provide an early glimpse into attacker activities and types of tools (including any new tools) used. The result is a better ability to protect systems and networks by being able to deploy additional evasive measures before attacks actually reach the intended victim systems.

Providing More Time for a Well-Planned, Efficient Response

The likelihood that attackers' efforts might be derailed or slowed is an advantage for security professionals. Instead of having to make instant decisions, they might now have the luxury of more time to plan a proper course of action, which in turn can lead to a more efficient and satisfactory incident response effort.

Providing Information that Traditional Tools Miss

Traps and deceptive measures also can record information that traditional tools such as intrusion detection systems (IDSs) and firewalls miss. Despite the fact that many IDSs seem to be improving in their detection capabilities, they nevertheless invariably miss a sizeable portion of attacks. Someone who has bypassed firewall defenses and then evaded intrusion-detection measures might next connect to a server or service that looks interesting. If the server or service is bogus, however, security staff and others will immediately learn of the presence of an attacker. Traps and deceptive measures are particularly valuable in discovering insider attacks, incidents that current IDSs are particularly poor in recognizing. Bogus servers (honeypots) are also valuable in helping determine when an attacker is performing network scans. Attackers typically deploy a variety of scanning methods ‚ but in particular slow scanning ‚ to avoid detection. Placing several bogus servers that yield data concerning scans can lead to the capability to correlate data across these servers. The benefit is the capability to conclusively identify that a scan has been launched within one's network. A honeypot sometimes is the only way to identify internal attacks.

Decreasing Attackers' Confidence

Another potential benefit of traps and deceptive measures is that, if deployed properly, they can lower the confidence of attackers. Attackers might not only wonder why they are not experiencing as much success as usual, they might also lose face if others learn that they have spent time attacking decoy systems, services, and resources. Loss of confidence can result in a reduction or cessation of attacks.

Yielding Intelligence Data

In a series of "Know your Enemy" papers, Lance Spitzner ^[4] argues that to truly secure systems, you must know who your enemy is and what the enemy can and is likely to do. Spitzner argues that honeypots provide an excellent way to "know your enemy."

^[4] Spitzner, Lance. www.enteract.com/~lspitz/honeypot.html , 2000 .

Providing a Wake-Up Call to Management

The last advantage discussed here relates to educating and motivating management concerning security-related threats and their consequences. Security professionals can talk eloquently with management about the many security- related threats that are present as well as the ways these threats can be countered, but management's reaction typically is disappointing. Data and observations from use of traps and deceptive measures often provide a wake-up call to management that something is wrong and danger is imminent. Traps and deceptive measures provide data that management generally finds more real and believable in contrast to something more obtuse such as the results of a risk analysis.

Limitations

Most traps and deceptive measures also have several inherent limitations, which are presented in the following sections.

Effort and Resources Required

Only the very na ƒ ve believe that you can set up a trap or other deceptive measure and then leave it alone until you are ready to harvest the results. These measures almost invariably necessitate closer monitoring ‚ and greater attention to aspects such as where within a network they are placed ‚ than normal systems. At the very minimum, the value of the information that these measures provide is generally very fleeting. Failing to promptly harvest this information is likely to render the information of little value. As will be discussed shortly, traps and deceptive measures need to be dynamic in nature to be credible, which generally requires a greater level of effort to implement. Additionally, any host on which traps or other deceptive measures are placed is a potential target of attack.

Difficulty of Creating Traps and Deceptive Measures with Sufficient Credibility

The problem of creating traps and deceptive measures that will genuinely fool attackers is one of the greatest obstacles to their deployment. Many attackers have years of experience and can see right through poorly designed or poorly implemented traps and deceptive measures. The sophistication of these implementations is extremely variable. More sophisticated implementations are more complete in every detail, have better logging, are fundamentally more secure ^[5] against attacks (and subversion attempts), and so forth. Less sophisticated implementations are laughable even to novice attackers. One of the potential advantages of buying commercial software to trap and deceive attackers is that such software is usually considerably higher in credibility.

^[5] In fact, one of the chief characteristics of a good trap/deceptive measure is greater ability to resist attempts to attack and/or subvert the measure.

The "Boomerang Factor"

Any computing platform on which some kind of trap or deceptive measure is implemented is a potential target of attack. An attacker does not need to be able to determine whether or not a particular system runs deceptive services to be able to compromise that system's security and then launch attacks on other systems. For example, an attacker might want to use a host that runs deception services to initiate vulnerability scans, to be a Warez server, or to launch attacks on other systems. If the host that runs deception services is within an organization's internal network and if an attacker compromises that host's security, the attacker is now in a prime position to compromise other hosts within that network.

Difficulty in Integrating into the Overall Computing and Networking Environment

Integrating traps and deceptive measures into mainstream computing and networking environments is still another potentially significant challenge. In most organizations, achieving operational continuity is one of the highest goals. Bogus services and servers can be disruptive, however. A bogus server designed to "draw fire," for example, can be the target of many simultaneous DoS attacks, which can overload the network. Bogus servers that send logs and other data to other hosts can potentially flood the other hosts with data during times of intense activity. Furthermore, IP addresses must be allocated to bogus servers, but IP address space within an organization's network(s) might be scarce . Finally, users who stumble onto traps and deceptive measures and attempt to access or use them might not only experience work disruptions, they might also overwhelm help desk personnel with questions or requests for assistance. They might even also become suspects of an investigation ‚ a potential witch hunt with many negative consequences!