The security team would like to gather intelligence about the types of attacks being launched against the
organization. Which of the following would provide them with the MOST information?
Implement a honeynet
Perform a penetration test
Examine firewall logs
Deploy an IDS
A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an
attacker’s activities and methods can be studied and that information used to increase network security. A
honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to
attract and “trap” people who attempt to penetrate other people’s computer systems. Although the primary
purpose of a honeynet is to gather information about attackers’ methods and motives, the decoy network can
benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The
Honeynet Project, a non-profit research organization dedicated to computer security and information sharing,
actively promotes the deployment of honeynets.
In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a
normal network and a worthwhile target. However, because the honeynet doesn’t actually serve any authorized
users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any
outbound activity is likely evidence that a system has been compromised. For this reason, the suspect
information is much more apparent than it would be in an actual network, where it would have to be found
amidst all the legitimate network data. Applications within a honeynet are often given names such as “Finances”
or “Human Services” to make them sound appealing to the attacker.
A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.