The concept of Decoy Systems is not new to the network security world, as Cliff Stoll first described it in his book entitled “The Cuckoo’s Egg.”
Stoll depicted a jail-type technology that captured an unauthorized user’s access to a system to determine his intentions. It is just recently that the concept has been adopted by the masses for production implementation to assist in a defensive network security posture. A compromised decoy system offers a wealth of features that can assist with intelligence data gathering, incident response and network forensics, for a better understanding of who the attacker is, what method the attacker used to gain access and the results of the attacker’s unauthorized attack for possible prosecution measures. These features include suspicious event alerts to a management workstation for visual and audible notification, the ability to capture the unauthorized user’s keystrokes and send it to a remote syslog server, various customized logging and bogus system files and information to have the unauthorized user waste time as the security administrator prepares a countermeasure.