Honeypot to Determine if Dictionary, Brute Force

Honeypot to Determine if Dictionary, Brute force and Hybrid Attacks Are Still in Use Today

Using a Honeypot to Determine if Dictionary, Brute force and Hybrid Attacks are Still Threats to it Security Today

The purpose of the proposed study is to use a honeypot as described further below to determine if Dictionary, Brute force and Hybrid attacks are still in use nowadays or if they do not exist anymore. The proposed study is important for a number of reasons. According to Wible (2003), "While the Internet has revolutionized communication and commerce, it has also created the conditions for a type of crime that can be committed anonymously, from anywhere in the world, and with consequences that are unprecedented in scope" (p. 1577). While many of the attacks on legitimate computer systems are not malicious in nature, the literature will show that computer crimes are on the increase and the techniques being used by computer criminals are likewise becoming increasingly sophisticated. In this regard, Wible emphasizes that, "Many of the policies used to deter computer crime have proved ineffective. Despite criminal penalties and regulation through code itself, hackers continue to intrude into private networks with impunity. At the same time, the social response to computer crime remains embryonic" (p. 1577).

Based on the inability of traditional law enforcement methods to resolve such criminal activities, computer crime therefore demands a new approach to deterrence. For instance, in their recent essay, "The Law and Economics of Software Security," Hahn and Layne-Farrar (2006) report, "As the costs of software security breaches become more apparent, there has been a greater interest in developing and implementing solutions for different aspects of the problem. For example, the information technology community is prodigiously developing new fixes, ranging from gate-keeper protections to procedures for constructing more secure software" (p. 283). Among these approaches are so-called "traps and deceptive measures" that are designed to monitor and collect valuable information concerning how unscrupulous and potentially criminal elements are invading legitimate computer systems. These techniques have been shown to be highly effective in collecting relevant data concerning the types of methods typically used by hackers to accomplish these attacks, thereby providing systems analysts with the information they need to develop appropriate countermeasures in a timely fashion and these issues are discussed further below.

In this regard, Wible reports that, "Computer crime comes in many varieties, including online theft and fraud, vandalism, and politically motivated activities. Other hackers simply try to break code, seeking challenge, competition, and bragging rights. Whatever the motivation, intrusions have serious costs" (p. 1577). At a minimum, such attacks on proprietary and legitimate computer systems will require a patch for the hole in security hole and the costs spiral upwards from there. As Wible points out, "Even a nonmalicious trespass disrupts the victim's online services while the breach is fixed. Not knowing whether or not a breach was malicious, companies generally expend resources investigating the matter, often hiring private investigators so that they do not suffer reputational loss. If other hackers become aware of the site's vulnerability, a nonmalicious hack may be the precursor to more malicious attacks" (emphasis added) (p. 1578).

One of the most common computer crimes is the distributed denial of service attack. According to Brenner, "A distributed denial of service attack overloads computer servers and make[s] a computer resource [such as a website] unavailable to its intended users. Distributed denial of service attacks are increasingly used for extortion" (p. 380). Moreover, the potential of such threats may even cause some Web site managers to reevaluate the quality of their content and some may elect to refrain from placing valuable information online in ways that are detrimental to their business and the Web site users (Wible).

Such responses are likely to become even more common given that it is difficult or even impossible to distinguish the source of such computer system attacks. As Brenner (2007) emphasizes, "The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult. Given the opportunities cyberspace creates for the remote commission of attacks and attacker anonymity, it is more common than not for cybercriminals to go unidentified and unapprehended" (p. 379). In this environment, identifying improved countermeasure approaches to provide better computer system security has assumed new importance and relevance for many companies and individuals alike.

Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns - as in the military, it is important to know who your enemy is, what kind of strategy he uses, what tools he uses and what he is aiming for - by knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. In order to do that, it is critical that an initiative is used that can provide information and insights concerning hackers' activities.

One of these methods is traps and deceptive measures. Traps and deceptive measures are measures that appear to be real systems, services, environments, and so forth, but they are not. In this regard, a honeypot is a good example of traps and deceptive measures that can be used to gather information concerning hackers' methods and timing, and these issues are the focus of the study envisioned herein. According to Doring and Erbs (2007), "Several Honeypot solutions have been developed since Clifford Stoll described the first use of a computer to trace an intruder. But there is no common framework of deploying Honeypots and especially no common analysis method exists. This causes Honeypot-unfamiliar operators to spend a great amount of time with learning concepts of Honeypots and even more time with interpreting results" (p. 1). Properly implemented and administered, though, honeypots are capable of improving the analysis time and value of countermeasure results, as well as providing benchmarks needed for comparing results of various security initiatives (Doring & Erbs).

Basically, a honeypot is simply a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network but which is actually isolated, unprotected, and monitored, and which seems to contain information or a resource that would be of value to attackers. According to Andress (2003), "Honeypots are an attacker's dream, or at least attackers think they are. A honeypot is a server designed to lure attackers into a secure, controlled environment. You can observe the trapped attacks as they cavort around in the server, log their conversations with one another, and study them as you'd watch insects under a magnifying glass" (p. 475).

There are two types of honeypot-systems that can be used as countermeasures, as follows:

Hardware-based honeypots. Andress describes these as computer systems that have been configured with well-known holes; however, these are disabled in some fashion in order to prevent them from being exploited and used to launch further attacks into the network. As this author advises, "Most honeypots reside on the corporate demilitarized zone (DMZ); they look like normal systems and lure attackers who may otherwise focus on your Web servers. Honeypots are easy to build, but they are difficult to build securely. One wrong move and your honeypot provides easy entry into your entire network" (Andress, p. 475).

Software honeypots. This version of the honeypot countermeasure approach consists of a virtual system that acts like another server (e.g., Linux or Windows). To capture the data needed for timely analysis and avoid additional intrusive measures on the part of the hacker, Andress recommends that software honeypots should be designed to contain all activity to the honeypot only: "Because attackers are working in a purely virtual environment, there is no chance that the attacker can break out of the secure area and move about your network. Even if attackers figure out they are working in a honeypot, the program should be designed where they cannot break out of it" (Andress, p. 476).

Generally speaking, computer hackers tend to use a standard approach to their activities. The majority of computer system attacks, for example, are initiated through the use of automated scripts and they are therefore characterized by the same techniques and individual signature of the hacker (Andress). According to this author, "The script compromises a system, installs a rootkit, downloads some software, such as an Internet Relay Chat (IRC) server, and starts launching attacks on other systems. The rootkit is a suite of tools that give attackers full access to the system" (Andress, p. 476). Therefore, hardware honeypots should be configured on stand-alone, isolated systems; they should not be performing any other function on the network. In an ideal approach, a honeypot should be configured to prevent communication with other systems on a corporate network. As Andress points out, "This arrangement adds just one more layer of protection in case your honeypot system is completely compromised" (p. 476). Just as there are layers of protection involved in computer systems, there areā€¦