By Daniel, Amitsinh & Alfred
Collect small data sets which are of high value All activity is assumed to be malicious Able to capture encrypted data IDS-like functionality
Have the risk of being taken over and used to attack other systems in the network Need to be walled off from the legitimate system to ensure it does give access to it Could be held liable for any damages the honeypot causes while under someone elses control
Intruders may not even take the bait Still need to be able to identify an individual What if the source of the intrusion is a public network? Evidence may not necessarily be admissible in court May miss evidence as only records actions that interact with the honeypot itself and not over the network FBI have used a honeypot to successfully gather evidence
Advantages ◦ Collect small data sets which are of high value ◦ Minimal resources ◦ Reduce false positives ◦ Catching false negatives ◦ Risk mitigation ◦ Attack strategies Disadvantages ◦ Limited view ◦ Risk of being compromised ◦ Single data point
two types of honeypots - low-interaction and high- interaction the main difference between the two is their complexity and interaction they allow an attacker We recommend using a low-interaction honeypot in a networked environment Reasons: ◦ do not give attackers much control ◦ simplicity that allows easy deployment and maintenance ◦ low risk factor because they do not work with real production system ◦ captures limited amounts of information, mainly transactional data and some limited interaction. ◦ emulate a service
Lance Spitzner, 3 June 2003, Honeypots - Definitions and Value of Honeypots viewed 22 March Mark Rasch, 9 May 2008, Click Crime viewed 21 March Lance Spitzner, 17 May 2002, Honeypots - Definitions and Value of Honeypots viewed 22 March Lance Spitzner, 30 April 2003, Honeypots: Simple, Cost-Effective Detection viewed 21 March Niels Provos, Thorsten Holz 2007, Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Addison Wesley Professional