Data Control - Page 5 - Results from #4 | LinuxSecurity.com

Advisories

Feature Articles

Need an in-depth introduction to a new security topic? Our features articles will bring up up-to-date on everything from buffer overflows to SE Linux policy development.

Discover LinuxSecurity Features

Know The Enemy: Upgrade Your Threat Detection Strategy with Honeynets - Data Control

Article Index

Know The Enemy: Upgrade Your Threat Detection Strategy with Honeynets - Data Control

Data Control 

As stated above, data control is the containment of activity. When dealing with blackhats, there is always risk that must be mitigated. It is critical to ensure that once compromised, a honeypot cannot be used to harm any system outside the Honeynet (anything inside the Honeynet is fair game). However, the challenge is to control the data flow without making blackhats suspicious. Once a system is compromised, blackhats will often require Internet connectivity, such as retrieving toolkits, setting up IRC connections, etc. We have to give them the flexibility to execute these actions, as these are the very steps we want to learn and analyze. Also, blackhats may become highly suspicious if they cannot initiate any outbound connections. We made that very same mistake with our first honeypot. We did not allow any outbound Internet connections. It took the blackhat only fifteen minutes to figure out something was wrong, wipe the system drive, and leave the network. So, the trick is to give the blackhat flexibility to execute whatever they need, but without allowing them to use the compromised system to attack others with Denial of Service attacks, system scans and other types of exploits.

Comments (0)

There are no comments posted here yet

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.