2.1 Advantages and Disadvantages
2.2 VMware
2.3 User-Mode Linux
2.4 Argos
2.5 Safeguarding Your Honeypots
2.6 Summary
High-interaction honeypots offer the adversary a full system to interact with. This means that the honeypot does not emulate any services, functionality, or base operating systems. Instead, it provides real systems and services, the same used in organizations today. Thus, the attacker can completely compromise the machine and take control of it. This allows you to learn more about the tools, tactics, and motives of the attacker and get a better understanding of the attacker community. Although these types of honeypots can give you deep insights into the routine procedures of an attacker, be warned: High-interaction honeypots can be a time-consuming yet fascinating hobby! Your personal computer can be considered a high-interaction honeypot. For example, our experience shows that an unpatched computer running Windows 2000 will be compromised within minutes.
This approach, however, has several drawbacks. After all, you do not want an attacker to have access to your private data or disrupt your work. Certainly you want to set up a machine that is dedicated for this task. Using a virtual machine has some interesting properties that we introduce in the first part of this chapter. We present the two most important options for virtual high-interaction honeypots: VMware and User-Mode Linux (UML). Besides the installation process, this chapter also explains how to run and monitor them and how to recover them when they get compromised. You will see a new approach for high-interaction honeypots called Argos, which allows you to detect new vulnerabilities that are used by attackers to compromise a system.
High-interaction honeypots have some risk. The attacker can abuse a honeypot he has compromised and start to attack other systems on the Internet. This could cause you both legal or ethical problems. Therefore, we need to safeguard the whole setup to mitigate risk. Several solutions exist to achieve this goal, and we introduce the most important ones in the second part of this chapter.
A high-interaction honeypot is a conventional computer system, such as a commercial off-the-shelf (COTS) computer, a router, or a switch. This system has no conventional task in the network and no regularly active users. Thus, it should neither have any unusual processes nor generate any network traffic besides the regular daemons or services running on the system. These assumptions aid in attack detection: Every interaction with one of our honeypots is suspicious and could point to a possibly malicious action. This absence of false positives is one of the key advantages of high-interaction honeypots compared to intrusion detection systems (IDS). To quote Rutherford D. Roger: "We are drowning in information and starving for knowledge." This may be a common phenomenon for IDS, but not for honeypots.
With the help of a high-interaction honeypot, we can collect in-depth information about the procedures of an attacker. We can observe the "reconnaissance phase" — that is, how he searches for targets and with which techniques he tries to find out more about a given system. Afterward, we can watch how he attacks this system and which exploits he uses to compromise a machine. And finally, we can also follow his tracks on the honeypot itself. We monitor which tools he uses to escalate his privileges, how he communicates with other people, or the steps he takes to cover his tracks. Altogether, we learn more about the activities of an attacker — his tools, tactics, and motives. This is an interesting field, and this methodology has proven to be successful in the past. For example, we were able to learn more about the typical procedures of phishing attacks and similar identity theft technique since we observed several of these attacks with the help of high-interaction honeypots [100]. In addition, we were able to study the background of such attacks. We will cover these incidents and some more typical attacks we observed in the past in Chapter 10.
To start implementing the high-interaction methodology, you can simply use a physical machine and set up a honeypot on it. However, choosing an approach that uses virtual high-interaction honeypots is also possible. Instead of deploying a physical computer system that acts as a honeypot, you can deploy one physical computer that hosts several virtual machines that act as honeypots. This has some interesting properties. First, the deployment is not very difficult. There are some solutions that offer an already preconfigured honeypot that you just have to customize and execute. Basically you should download the virtual machine, deploy it at a physical machine, and run it. Second, it is the easy maintenance. If an attacker compromises your honeypot, you can watch him and follow his movements. After a certain amount of time, you can restore the honeypot to the original state within minutes and start from the beginning. Third, using a virtual machine to set up a honeypot poses less risk because an intruder is less likely to compromise or corrupt the actual machine on which we are running.
Usually VMware [103] or UML [102] is used to set up such virtual honeypots. These two tools allow you to run multiple instances of an operating systems and their applications concurrently on a single physical machine, thus allowing you to collect data easier. If several honeypots are combined into a network of honeypots, it becomes a honeynet. Usually, a honeynet consists of several high-interaction honeypots of different types (different platforms and/or operating systems). This allows us to simultaneously collect data about different types of attacks. With a virtual approach, this is easy to set up, and we can run a complete honeynet on just one physical machine.
High-interaction honeypots — both virtual and physical — also bear some risks. In contrast to a low-interaction honeypot, the attacker can get full access to a conventional computer system and begin malicious actions. For example, he could try to attack other hosts on the Internet starting from your honeypot, or he could send spam from one of the compromised machines. This is the price we pay for gathering in-depth information about his procedures. However, there are ways to safeguard the high-interaction honeypots and mitigate this risk. We will introduce the most important solution in this area in the second part of this chapter: the Honeywall by the Honeynet Project.
One disadvantage that you should be aware of is that the attacker can differentiate between a virtual machine and a real one. (We will introduce different techniques that an attacker might use to exploit your virtual honeypot in Chapter 9). It might happen that an advanced attacker compromises a virtual honeypot, detects the suspicious environment, and then leaves the honeypot again. Moreover, he could change his tactics in other ways to try to fool the investigator. So virtual honeypots could lead to less information about attackers.