Trap malware with honeypots

Trap malware with honeypots
Honepots combine the best aspects of detective and preventative technologies in the fight against malware. Honeypots are systems specifically deployed to be compromised. While the development of commercial honeypots seems to have lost steam, there is a plethora of innovative and freely available honeypot technologies. When carefully deployed, they can strengthen an enterprise's defensive posture in several ways:

• Slow down an intruder's progress by having him waste time breaking into a system that offers no value to the intruder. For instance, the free LaBrea tool stalls port scans and worm propagation activities by creatively responding to an intruder's network connections.
• Decrease the rate of false positives, which often plagues network IDS. Since a honeypot, by definition, should not participate in production activities, almost any connection to it is an indication of malice. A free tool Honeyd emulates servers, devices, and even networks to increase the span of such monitoring without requiring multiple physical systems.
• Capture malware samples for analysis. Since malware is a part of most modern intrusions, capturing it before it finds its way to a production system assists in incident response. One of the free tools that can assist in this task is Nepenthes, which can capture malicious software propagating over the network. With copies of malicious samples at hand, they can be analyzed to understand their capabilities. (Coincidentally, I teach a SANS Institute course about this.)
• Understand the intruder's intentions by observing his interactions with the compromised environment. This can be accomplished by deploying a series of honeypots to fool the intruder, whether a human or a program, about the authenticity of the targeted system. The bootable Honeywall disk, distributed for free by the Honeynet Project, can help enable this, and includes excellent monitoring tools.
• Determine whether your users visited malicious websites by employing a client-side honeypot that crawls and examines Web pages. Drive-by downloads, which exploit vulnerabilities through the Web browser, are a common infection technique. Consistently blocking this threat vector may be hard, but you can still detect the incident quickly. If your organization has a mechanism, such as a proxy server, that records visited URLs, you can use the free Caffeine Monkey tool from SecureWorks to automatically examine those sites for Web exploits.