I've never been a firm supporter of Honey Pots. Why? Well first off they have in the past been cumbersome and take a lot of time and energy to monitor. The intruders caught in a Honey Pot are often "Script Kiddies" and what is learned from them is commonly already known. On rare occasions Honey Pots capture a new set of attacks and are then quite worthwhile. The following example is one such occasion.

Some of my thinking on Honey Pots has changed, and also my thinking on the worth in the information  age of a network of Honey Pots.

First off I should back up and explain what we are talking about when we say Honey Pot. A Honey Pot was first explained to me by a  couple of very good papers by a couple of icons in computer security Cliff Stoll and the "Cookoo's Egg", and Steve Bellovin and Bill Cheswick's "An Evening with Berferd." Both instances used jail type technology to capture an intruders sessions and monitor in detail what the intruder was up to. The term "honey pot" came later, but the same intent applies. Setting up a system or systems that seem attractive to network intruders, but is also capable of monitoring to a fine degree what is going on such that you can identify the problem and be reasonably sure you know how the intruder(s) got in and what they are up to.

Lance Spitzner's honey pot started out as a learning exercise designed to get a feel for what the 'enemy', in this case network intruders, were up to and to learn from this exercise a set of defenses that would keep networks and systems secure from this type of intrusion. Security is not something you buy. It is not a product (no matter what vendors try to tell you.) Security is something you -live-. I often compare it to martial arts training. Just because you have achieved a black belt doesn't mean you stop training; on the contrary you have learned from your training that it takes discipline, attitude, philosophy and the willingness to continue this training from this point forward, constantly tuning your art forever. Just because you have bought a security product or three doesn't mean you are safe.

The journey must continue.

Okay enough soap boxing, back to honey pots and the twists that they can take.

What was discovered by Lance and his honeynet project was that coordinated attacks _are_ occurring. The theft of credit card numbers isn't the end, its just a means to an end. Credit card capture is only a way for the attackers to launder money and get other victims to help finance their ultimate goals. Whatever those may be. The most alarming point is that credit cards are now being used to register domain names and to finance additional criminal activity. The fact that what the honey pot has captured indicates coordinated (dare I say it?) espionage from foreign groups.

The threat is real, this is only one instance, but to date, over 130 sites have had to be notified of them being compromised. These sites are in many different geographic locations world wide.  The, as yet untapped use of honeynets is only now becoming evident. One honey pot captures a pretty far reaching set of criminal activity. Now what would happen if there were 50 or even 500 honey pot systems out there? Would the intruders know if the system they were using as a launching point to attack other sites was just a lame site or was it a honey pot?

I used to think that it was the 'low hanging fruit' that the script kiddies broke into. Unfortunately the Internet today is more like a walk through a vineyard with the attackers stopping here and there to pick a grape or a bunch of grapes at their leisure. The feast is seemingly never ending. This has got to stop! I would like for us to move forward to a real e-commerce Internet society. Take this as a single example of the battle that currently rages in cyberspace, and think how you can be a part of the solution instead of one of the many victims.

Brad Powell, Sun Microsystems GESS Global Security Team