With the help of Deepak Narain and Thomas Huber, now I appreciate them more.
The session has begun with the definition of honeypot, that's a system used to attract bad guys and to collect everything they do; moreover it can be used to distract them from the real production environment.
How can we forge and honeypot?
- Decoy system: expose it on the internet offering services
- expose vulnerability to the bad guys
- monitor your box that must looks and behave as a normal - well designed - production system
Honeypots can be classified in two types:
- low interaction (or no interaction) that's based on emulation of services
- high interaction with full access for the bad guys to the OS and full "play around" with system
Using virtualization to forge an honeypot is better because:
- you can consolidate decoying a lot of system that's on a self contained physical machine
- VMs are self contained
- easiness of provisioning
- improved response to attack (just unplug network and you have done!)
- quickly reconfigurable and redeployable
unfortunatly also bad guys like those features
Why having an honeypot?
- We can learn from outside attack and remediate in the real production env.
- We can lure attack from real production.
- We quickly detect attack: that shouldn't be any traffic towards the honeypot normally: so, all traffic is hostile.
- We can have evidence: once an attacker is identified you can use evidences legally
Some projects are sprawling around the world: honeyd project is one of this.