Master-thesis
Honeypots are a well known method to gain new, previously unknown information about an attacker and visibility about their attacks. There exist derived products, e.g.: honeynets and honeytoken, which will be described as honey systems. All these systems have in common that their whole purpose is to be attacked, but to leave the attacker unaware of his communicating with a honey system. Honey systems emulate services and pretend to be a real service to lure an attacker to communicate with it and therefore to learn about (new) attacking methods. Honeypots are a single host or service luring attackers. Honeynets are multiple honeypots in a network. These networks could be purely fictious or they can clone production networks to be more authentic. Honeywalls are the border gateways, filtering traffic like firewalls, and routing the traffic either to the production network or the honeynet. Honeytokens are a little bit different, as they have no calculation power itself. They are just data in form of files, entries within files or database entries. Honeytokens can signal an already happened intrusion, when several entries in files are found outside ofcompany data (e.g.: fictious JFK entry in hospital files). As honey systems work best if the attacker spends a lot of time with the system, it is necessary to emulate a service good and disguise a honey system as good as possible. However, attackers are aware of the possible existence of honey systems and do not want to waste their time with a non-profitable service and they do not want their techniques getting revealed, whichis why multiple honey system detection techniques are developed, which lead to newer techniques for honeysystems to better avoid detection.As already mentioned, a lot of papers have been published regarding honey systems, also about hiding them. This research about how to implement them in a concrete surrounding still has never been published because of obvious reasons. The only relevant publication dates to the year 2003 and is therefore highly outdated.Companies publishing such a paper would thereby probably bust their own concept of implementing thesefeatures. This concept could increase security against insider intrusion and espionage. The results can shift paradigms as the organisations can really focus on finding rogue personnel, as “Only attackers access a honeypot; normal users have no intention of using it”. This means less surveillance costs for organisation and more privacy for employees. As honey systems are not used by normal users but only by attackers, no privacy concerns are to appear. Honey system primarily address strangers, attackers from outside of the company. These can cause severe damage to a company, but insiders have a better plan of a company and how to disguise security patterns. Honey systems are not publicly used as monitoring system to protect against internal attacks. As insiders usually know the company structure it is difficult to implement a shadow system, only selected personnel know about. A shadow system can furthermore attract attention of an inside intruder, which makes honeysystem valuable as they only address attackers. The research questions therefore are: How to hide a honey system to the inside? Which honey systems can be hidden to the inside? From which staff can a honey system be hidden? Does it make sense to hide a honey system to the inside? The hypothesis is that all honey systems can be hidden to all staff in a company, except to the ones being in charge of it. The approach to answer these questions is to really install a honeypot in a company and try to circumvent all of staff. When being disclosed, the staff member will be introduced to the matter and the error will be documented. Staff will be divided into groups regarding their knowledge of the (IT)-infrastructure and separately watched if and when they detect the honeypot. To achieve a good result, the whole deployment process of a honey system probably need to change. As these honey systems do not target outside attackers but insiders, several further questions about the process appear. These challenges will appear during the research and needs to be solved during the project which makes the problem complex and difficult. This work creates an evaluation of the staff groups and assets to provide knowledge about their involvement in such a project. It also presents an experiment on how these formulated hypothesis apply to real world organisations and answers the questions on how to hide which honey system from whom and does it make sense to do so.
@mastersthesis{lackner2021honeypots,
article={Hide the honey from the bees - an approach to hide honey systems to insiders},
author={Paul Lackner},
school={UAS St. Pölten},
year={2021}
}
Published: 2021-06-29