Threefold increase in Honeynet attacks
1 April 2005 | 0
The Irish Honeynet (www.honeynet.ie) was the target of a record 1,044 attacks in May 2003. Month by month, since the Irish Honeynet’s inception in April 2002, we have seen the attacks rise. They have increased almost threefold in the year gone by. Unsurprisingly, the same attacks are being used over and over again.
The Irish Honeynet, set up by Espion, Deloitte & Touche and Data Electronics, operational since April 2002, is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.
The United States accounted for 23 per cent of the attacks, still the largest source country for illicit activity on the Honeynet. Asia continues to be one of the main sources of attacks. Particularly active are countries such as China, South Korea, Japan, and Taiwan, which combine to make up 34 per cent of the total in May.
After a year of observing blackhat activity on the Irish Honeynet, it is clear that many of the attacks can be easily avoided by the appropriate use of firewalls and gateway filtering devices. An examination of the statistics for this month reveals that a huge proportion of the attacks are against ports and services that most companies have typically closed off from the Internet, using a firewall. Irrespective of your size or business, Internet addresses are continually being probed. A failure to implement appropriate security at your perimeter will leave you compromised. A successful attack will cost money and significant downtime, as well as potentially cause damage to your organisation’s reputation.
Invariably, larger companies tend to be well protected, particularly at their perimeter. Smaller companies that have neglected to invest in the technologies, or who haven’t configured it properly, are extremely vulnerable to attack and compromise.
A default installation of a Windows system that has been left on the Internet unprotected will be discovered by the blackhats in a matter of hours. The blackhats are extremely proficient at scanning and discovering vulnerable systems on the Internet very quickly. To put this in perspective, it is feasible for an individual to scan every single Internet connected computer in Ireland in a 12-hour period.
Extension of the WAN
Traditionally, many organisations took comfort from the fact that their networks did not extend beyond known limits, such as their LAN or WAN, and often, beyond their four walls. Modern work practices are changing, and more and more workers are availing of opportunities to telework, or they are regularly connecting to home networks from customer or supplier sites. This has greatly extended the bounds of the network. Use of a corporate laptop on unauthorised networks (such as a home ISP account) now poses a more significant threat to organisations than many realise.
More often than not, the laptop will have little or no protection beyond simple anti-virus software. Such an unprotected computer on the Internet could be easily discovered and compromised. A network sniffer could be installed onto a laptop in the field, so when the machine is again connected to the corporate network, all data traversing the network could be captured and emailed outside the organisation.
Similarly, in the event of as simple a risk as the laptop being stolen, if controls on the machine are inadequate, access could be gained to an array of documents, databases, and other intellectual property.
The network perimeter is no longer as clear-cut as it may have been in the past. Remote offices, travelling workers and teleworkers are all risks that must be effectively managed. Many organisations have policies that forbid their employees using a corporate laptop, for instance, for personal use such as web browsing from the home through a private ISP account, but how is this enforced and monitored? A policy is merely a written document. It must be effectively enforced to guarantee its success, and actively monitored to ensure compliance. The Honeynet statistics reveal that there are a myriad of different ways to gain unauthorised access to a computer system. Often, and unfortunately, the teleworker’s computer is vulnerable to them all!
Future Development of the Honeynet
The next step of the Irish Honeynet Project, due to be initiated in July, is to sweeten the honeypots somewhat by building an FTP server that permits anonymous users to upload files. This is a common misconfiguration found in many Irish networks and it is our goal to attempt to assess the potential risks and problems that result from inadvertently allowing this kind of activity. We can expect malicious blackhats to attempt to store anything from their personal music files to illegally ‘cracked’ software packages to pornography. We will report back on this next month.
Later, we intend building a transactional system that looks like an electronic commerce site. The intent is to make the honeypot irresistible to the more-skilled hackers who are looking to steal credit card numbers rather than just vandalise Web sites.
If there are any specific configurations or scenarios that readers would like to test on the Honeynet, please send an email to firstname.lastname@example.org or email@example.com and we will do our best to implement it over the coming months.