2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	710/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 706 707 708 709 710 711 712 713 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Honeypots/Honeynets
Honeypots
are individual computers created as a trap for intruders. A
honeynet
is two
or more networked honeypots used together to simulate a network. They look and
act like legitimate systems, but they do not host data of any real value for an attacker.
Administrators often confi gure honeypots with vulnerabilities to tempt intruders into
attacking them. They may be unpatched or have security vulnerabilities that administrators
purposely leave open. The goal is to grab the attention of intruders and keep the intrud-
ers away from the legitimate network that is hosting valuable resources. Legitimate users
wouldn’t access the honeypot, so any access to a honeypot is most likely an unauthorized
intruder.
In addition to keeping the attacker away from a production environment, the honeypot
gives administrators an opportunity to observe an attacker’s activity without compromis-
ing the live environment. In some cases, the honeypot is designed to delay an intruder long
enough for the automated IDS to detect the intrusion and gather as much information
about the intruder as possible. The longer the attacker spends with the honeypot, the more
time an administrator has to investigate the attack and potentially identify the intruder.
Some security professionals, such as those engaged in security research, consider honeypots
to be effective countermeasures against zero-day exploits because they can observe the
attacker’s actions.
Often, administrators host honeypots and honeynets on virtual systems. These are much
simpler to re-create after an attack. For example, administrators can confi gure the hon-
eypot and then take a snapshot of a honeypot virtual machine. If an attacker modifi es the
environment, administrators can revert the machine to the state it was in when they took
the snapshot. When using virtual machines (VMs), administrators should monitor the hon-
eypot or honeynet closely. Attackers can often detect when they are within a VM and may
attempt a VM escape attack to break out of the VM.
The use of honeypots raises the issue of enticement versus entrapment. An organization
can legally use a honeypot as an enticement device if the intruder discovers it through no
outward efforts of the honeypot owner. Placing a system on the internet with open security
vulnerabilities and active services with known exploits is enticement. Enticed attackers

764
Chapter 17
■
Preventing and Responding to Incidents
make their own decisions to perform illegal or unauthorized actions. Entrapment, which
is illegal, occurs when the honeypot owner actively solicits visitors to access the site and
then charges them with unauthorized intrusion. In other words, it is entrapment when you
trick or encourage someone into performing an illegal or unauthorized action. Laws vary
in different countries so it’s important to understand local laws related to enticement and
entrapment.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 706 707 708 709 710 711 712 713 ... 881