In order to identify the requirements for a honeypot infrastructure, the NoAH project undertook a survey of National Research and Education Networks (NRENs), Internet Service Providers (ISPs), and Computer Security Incident Response Teams (CSIRTs). A total of 42 organisations participated, and their responses are summarised below.
The full survey results are detailed in D0.2: Requirements Collection and Analysis.
Actions in case of attack
When an attack is detected, almost all respondents (85.71%) agreed that the NoAH infrastructure participants should be immediately alerted. Some of them (76.19%) would also like to receive guidelines or hints on how to defend against the attack.
Logging all Internet traffic is something that 45.24% of the respondents agreed with. However, it should be noted that the majority of respondents are not interested in logging all the traffic. In fact, some of them noted that they are strongly against it.
Use of Honeypots
45.24% of respondents have used honeypots in the past (figure below left) which clearly demonstrates that honeypots are already actively used. However, whilst 33.33% of respondents (14/42) have never used honeypots before, the vast majority of them would agree to have a honeypot (figure below right).
Type of information provided by honeypots
Almost all respondents (95.24%) wished to receive information from honeypots about the type of attack. There was also a lot of interest in receiving a signature for the attack (85.71%), as well as information about the method used by the attacker (78.57%). Information about the tools used by the attacker (66.67%), the attacker's sophistication (59.52%), and the escalation times of the attacks were also considered important.
Almost all respondents (92.86%) would like to receive IP packet-based signatures of attack. This is unsurprising since the majority of IDS deployments today use IP packet-based signatures. What is more interesting, is that 42.86% of respondents would also like to receive a 'system-calls' signature. Having realized that the rise of polymorphic attacks may soon render packet-based IDS obsolete, the NoAH consortium decided to work towards producing such signatures, and the survey reinforces this decision.
Acceptable level of false positives
50% of the respondents would accept 0-2 false alarms per day, 26.19% would not mind receiving 3-5 false alarms, and 2.38% would even tolerate 10 false alarms. However, one respondents believed there should not be any false alarms. While the opinions on the number of false positives per day vary, it is important to strive to keep them low or it may hinder the deployment of a honeypot infrastructure.
Sharing honeypot data
A majority of respondents (69.05%) stated they would be willing to share data obtained via a honeypot with others. Even though data produced by honeypots is generally not considered sensitive, it must be considered that an attacker has copied data from another host. Such cases must be identified and any sensitive data anonymised.