Decoy Systems: A New Player in Network Security and Computer Incident Response

Interconnectivity on the Internet is growing, as more and more organizations, private companies and governmental institutions connect for critical information processing. This interconnectivity allows for better productivity, faster communication capabilities and immeasurable personal conveniences. It also opens the door to many unforeseeable risks, such as individuals gaining unauthorized access to critical enterprise information infrastructure. These organizations are discovering that traditional means of preventing and detecting network infringements with firewalls, router access control-list (ACLs), anti-viruses and intrusion detection systems (IDS) are not enough. Hackers are able to obtain easy to use tools to scan various networks on the Internet for system vulnerabilities, then use the information gathered from the scans to launch their attacks with script kiddies. A solution that has been catching on in the network security and computer incident response environment is to employ “Decoy Systems.” Decoy Systems, also known as deception systems, honey-pots or tar-pits, are phony components setup to entice unauthorized users by presenting numerous system vulnerabilities, while attempting to restrict unauthorized access to network information systems. Introduction The concept of Decoy Systems is not new to the network security world, as Cliff Stoll first described it in his book entitled “The Cuckoo’s Egg.” Stoll depicted a jail-type technology that captured an unauthorized user’s access to a system to determine his intentions. It is just recently that the concept has been adopted by the masses for production implementation to assist in a defensive network security posture. A compromised decoy system offers a wealth of features that can assist with intelligence data gathering, incident response and network forensics, for a better understanding of who the attacker is, what method the attacker used to gain access and the results of the attacker’s unauthorized attack for possible prosecution measures. These features include suspicious event alerts to a management workstation for visual and audible notification, the ability to capture the unauthorized user’s keystrokes and send it to a remote syslog server, various customized logging and bogus system files and information to have the unauthorized user waste time as the security administrator prepares a countermeasure. 1 C. Stoll, The Cuckoo’s Egg: Tracking a Spy Through the Maze of a Computer Espionage (New York: Pocket Books, 1990).