Reverse Deception: Organized Cyber Threat Counter-Exploitation (79 page)

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation

5.69Mb size Format: txt, pdf, ePub

Read Book Download Book

ads

Reduction of false positives

Ability to identify and learn new attacker tools and techniques

Ability to attribute new attacker activity to particular broader problem sets

The following sections briefly discuss the primary two types of honeynets and their advantages and disadvantages.

Research-Based Honeynets

Research-based honeynets are typically found in research institutes of academia or as nonrequirement-driven research projects for personnel within organizations as an educational tool. This type of honeynet is typically not managed regularly or held to any specific overall set of defined standards or reporting requirements. Due to the nature of research-driven honeynets, their goals are generally project or interest based. Research honeynets will generally not be used as an operational test bed unless you have finished reading this book and are planning on researching our recommended best practices, tools, and tactics we have passed onto you through this book.

Research-based honeypots are primarily used for the following purposes:

Learn what the bad guys are doing

Study their methods

Capture their keystrokes

Capture their tools

Monitor their conversations

Maintaining individual research-based systems requires a lot of work.

Generation II honeynets were originally designed to suit research-based honeynet deployments. This was the second generation of honeynet technologies developed through the Honeynet Project. More important to note is that most of the organizations that donated resources to development of the GenII were computer science and security research groups within organizations or universities.

Production-Based Honeynets

Production-based honeynets are typically found in larger organizations or government entities that have definitive requirements for network defense, intelligence, or counterintelligence requirements. This type of honeynet is generally developed with a full development plan and reporting requirements. It is based on a strict configuration management plan in order to get the most out of the operational investment.

Production-based honeynets increase the capability of monitoring and analysis for a large enterprise or production network. The following are some of the primary goals of a production honeynet: