Friday, March 30, 2007

Honeynets with a twist

I've been running a honeynet for about 4 years now and in the past 6 months I've seen a dramatic shift in attacks. There are probably many people that would argue this, but the age of automatically spreading malware seems to be past. Before someone jumps down my throat let me explain. There will always be the vulnerability that is wormable, but with some of the protective measures being implemented by default now, a lot of this is mitigated. When was the last big global worm? There will always be the exploits that the kidiots download and run but seeing the same thing over and over again gets old fast when it's not a real situation.

For a time, I was fighting off FXP groups(which was very amusing actually), people loading up rootkits etc etc..but that seems to have dropped off. I think we're experiencing and have experienced a dramatic shift away from the automated kits that so plagued us for the past few years. The focus has become the user, and their gullability. There are some great honeynet tools out there now to go out and search websites but needless to say, my honeynet has gone dormant for the time being.

That said I've been considering modifying my honeynet to facilitate forensics and incident response, and not just for my own use. I haven't quite fleshed this idea out, but I'm wondering if it would even be considered useful by others.

We have hacking labs online for the public, why not forensics and incident response labs?
Imagine a network that was randomly infected with malware and compromises, and you had access to it, not only to check it out but actually test your response procedures and skills. Essentially what I'm saying is take The Hackers Challenge and make it a live situation. As I said I haven't fully fleshed this idea out, but would it be useful and interesting or just a waste of time?



Jeff said...

I love that idea. I would be one visiting the "lab" on a daily basis.

hogfly said...

What would you see as being useful in a lab like this? VMware images? Live systems?