In War Against Cyberspace Intruders, Knowledge Is Power
By Bruce Schneier
June 18, 2001
In warfare, information is power. The better you understand your enemy, the more able you are to defeat him.
In the war against malicious hackers, network intruders and the other black-hat denizens of cyberspace, the good guys have surprisingly little information. Most security experts-even those who design products to protect against attacks-are ignorant of the tools, tactics and motivations of the enemy.
The Honeynet Project, a group of 30 researchers from academia and the commercial sector, is trying to change that. The group obtains information through the use of a Honeynet-a computer network on the Internet that's designed to be compromised. The network is made up of various production systems complete with sensors as well as a suitably enticing name and content. (The actual IP address changes regularly and isn't published.) Hackers' actions are recorded as they happen: how the culprits try to break in, when they're successful and what they do when they succeed.
The results are fascinating: A random computer on the Internet is scanned dozens of times a day. The life expectancy, or the time before someone successfully hacks a default installation of a Red Hat 6.2 server, is less than 72 hours. Systems are subjected to NetBIOS scans an average of 17 times a day. A common home user setup-file sharing-enabled and equipped with Windows 98-was hacked five times in four days. And the fastest time for a server being hacked was 15 minutes after being plugged into the network.
The moral is that there's a staggering number of people out there trying to break into your computer network, and that the intruders succeed surprisingly often. Network administrators who don't take drastic measures to protect themselves are toast.
The Honeynet Project is more than a decoy network of computers; it's an ongoing research project into the modus operandi of predatory hackers. The project currently has several Honeynets in operation. Want to try this on your own network? Recourse Technologies sells a commercial version called Mantrap, and others that emulate what the Honeynet Project is doing are under development. Called "honeypots," they can be installed on an organization's network as a decoy. In theory, hackers find the honeypot and waste their time with it, leaving the real network alone.
This acts as a network alarm. If you're monitoring your alarms 24x7, a honeypot can buy you valuable time to respond to attacks as they happen. The professional attackers will probably avoid the honeypot, but most real-world attackers are amateurs. The key is real- time monitoring; looking at the log files a week after the fact isn't much use.
For this reason, I'm not sold on this as a commercial product. Honeynets and honeypots need to be tended; they're not the kind of product you can expect to work out of the box. Commercial honeypots only mimic an operating system or computer network; they're hard to install correctly and much easier to detect than the Honeynet Project's creations. And the security they buy you is incremental.
If you want to learn about hackers and how they work, by all means buy a honeypot and take the time to use it properly. But if you just want to protect your own network, you'll generally be better off spending your time on other things.
The Honeynet Project, on the other hand, is pure research. The information it produces is invaluable, and there's no other practical way to get it.
When an airplane falls out of the sky, everyone knows about it. When a network is hacked, however, it almost always remains a secret.
The victim usually has no idea he's been hacked. If he does know, there's enormous market pressure on him not to go public with the fact. If he does go public, he almost never releases detailed information about the hacking incident.
This paucity of real information makes it much harder to design good security products. The Honeynet Project team is working to change that.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..