FOR

The concept of a honey-trap isn't new: during the Cold War, it was a successful ploy used by attractive spies to wheedle state secrets out of diplomats, while the Venus Flytrap has been luring unsuspecting insects into its jaws for millions of years. But the idea is relatively new to the IT security industry. Until now, the primary method of defense has been to stop people getting in, or to detect them and stop them if they do - but Recourse Technologies' ManTrap takes a very different approach. It uses the honey-trap.

The history of IT security is replete with people building walls stronger and higher; it is just as replete with people finding ways to scale walls even stronger and higher. Firewalls and intrusion detection might deter some of the script-kiddies, but the dedicated cracker will eventually find a way in. Indeed, for many, that is their very raison d'ętre: getting in regardless. And if you have focussed all your attention on keeping them out, once they have breached your firewall they are free to wreak havoc - especially if they spot your intrusion detection system and disable it. Which is where ManTrap comes in. Because ManTrap wants you to come in. It's waiting for you …

ManTrap resides on a Solaris server (sorry if you have any other kind of box) and creates decoys: false servers, false users, false data. It looks like corporate information, it feels like corporate information … but it isn't. ManTrap works by creating 'cages' of what look like valuable data on real, live servers, buzzing with real, live users: honey-traps. The crackers get to work, stealing information, stealing passwords, changing data, installing backdoors … and all the while, ManTrap is recording their every move: IP addresses, which files are accessed, which processes are invoked, ASCII packet data, keystrokes, characters output to screen, incoming connections, and outgoing connections - the lot. This information can then be analyzed as a way of determining the methods and motives employed by the crackers: how they got in, what techniques they used, what they are looking for.

ManTrap is not just a recording system - it integrates with other intrusion detection systems, allowing for the crackers to be turfed out when you think you have enough of a profile on them. Furthermore, ManTrap alerts may be sent to Recourse Technologies' threat management system, ManHunt, where they may be correlated and analyzed.

Even if they aren't stopped, they will have got away with precisely nothing, whereas you will have the beginnings of a profile of their behavior. And with this profile, you can beef up security exactly where it is needed for a particular cracker - or any other cracker who has decided to use the same techniques.

Perhaps the most critical drawback of ManTrap is that the cage server must be anything but suspicious to get a cracker to spend sufficient time there for ManTrap to build up a detailed profile. And if the cracker is actually looking for data, rather than installing a backdoor or some such, the administrator must ensure that that data in the cage is convincing - or else the cracker will vanish without leaving much of a useful footprint. ManTrap's data generation does emulate a few hundred users and their corresponding directories, but no data, apart from fake email messages if you are faking a mail server. For it to stand up to intense scrutiny, it really should be kept up-to-date: using archived data might be an easy shortcut, but it may very well be noticed.

There is documentation, but it is rather disappointing: given the price of the product, one would expect a little more than a simple installation and administration guide. Stating that the "configuration options are endless" just isn't enough. For anyone but the most savvy of security administrators, nothing short of a textbook of decoy examples would be sufficient to ensure that the ManTrap cage is convincing to crackers. Thankfully, Recourse Technologies is currently developing a deployment guide for the product that will include deployment tips and usage scenarios. And, if you are willing to pay for it, Recourse does offer consultancy services to assist you.

Recourse Technologies is to be congratulated on exploiting a new approach to IT security. The honey-trap niche is a very new area as the rarity of competitive products will attest, but it is unlikely to be a niche for much longer. And while some might argue that entrapment is an underhand way of catching crackers, others will argue that this is a dirty fight and any means of defense is admissible. Whether this will stand up in court in some countries that have firm views on what they consider entrapment remains to be seen. ManTrap, though, is an excellent solution for a company that finds itself under assault and wants to determine the methods and techniques that the crackers are employing - whether this is with a view to legal action, or more importantly, as a means to analyze their behavior, beef up defenses and stop them getting in the first place.

"You can catch more flies with honey than with vinegar." Leave something alluring in plain sight, and the chances are that someone will be light-fingered enough to try to steal it - and then you can pounce. Some people call it a honey-trap. Some people call it entrapment. But no one is asking them to steal, are they?
   

SC On-Line
SC Magazine
www.scmagazine.com