An Introduction to An Introduction to HoneypotsHoneypots

J. Scott Christianson

J. Scott Christianson

Experience/Education– Worked for a consortium

of schools for eight years– Own and operate

Kaleidoscope Consulting– Firewall Installation– Network Design– M.A., Educational

Technology, The George Washington University.

Certifications– CISSP– SANS GIAC– MCSE– Cisco CNA 1.0, 2.0– CVE– NACSE Senior

Network Specialist– Sonicwall SCSA– Network +, etc.

Today’s Session

What is a Honeypot? Types of Honeypots Honeypot Deployment Demonstration Legal Issues Resources

Honeypot Defined

“A honeypot is a resource whose value is in being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.”

--Lance Spitzner

“Intrusion Deception Systems”

Honeypot Uses

Research– Discover new attacks– Understand the blackhat community and their attacks– Build some better defenses against security threats

Production– Distraction– Detect internal threats: “Policy/Law Enforcement”– Security Assessment (Constantly monitors the average

security provided by the network)

Honeypots Characteristics

Since Honeypots are not normally used by the organization, they will only be accessed by “intruders”

Honeypots collect very little data, and what they do collect is normally of high value.

Honeypots all share one huge drawback; they are worthless if no one attacks them

Honeypots can introduce risk to your environment.

Types of Honeypots

Honeypots are classified by the degree an attacker can interact with the operating system– The more an attacker can interact with a honeypot, the

more information we can potentially gain from it, however the more risk it most likely has.

Types– Low-Involvement Honeypot– Mid-Involvement Honeypot– High-Involvement Honeypot

Honeypot Deployment

A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, etc).

A honeypot can be an unpatched server. For example, a IIS server with the default install.– Use firewall to protect the outside world– Hogwash (Snort based IP scrubber)

http://hogwash.sourceforge.net/

Low/Mid Interaction Honeypot Runs on Microsoft OSs Specter can emulate one of 13 different operating

systems. As of Version 6.02, the IP stack is not emulated so IP

fingerprinting tools are not fooled. Custom fake password files and custom HTTP

content. Pricing: full version $899, Lite $599 www.specter.com

Virtual Honeypots

VMware ($299 from vmware.com)

Host Operating Systems is Hardened

Guest Operating Systems are the Honeypots (unpatched OSs)

Internet

Host Operating System

Guest OS Guest OS Guest OS

Honeynets

http://project.honeynet.org An extension of a Honeypot Network topology provides many

advantages over standard honeypot– Covert logging– More points of attack for a blackhatter– Looks realistic from the outside

Issues Raised: Privacy

Electronic Communication Privacy Act (18 USC 2701-11)

Federal Wiretap Statute (Title III, 18 USC 2510-22)

The Pen/Trap Statute (18 USC § 3121-27)

Issues Raised: Entrapment

Used only by defendant to avoid conviction

Cannot be held criminally liable for ‘entrapment’

Applies only to law enforcement Even then, most legal authorities consider

Honeynets non-entrapment

Issues Raised: Liability

You may be liable if your Honeynet system is used to attack or damage other non-Honeynet systems.– Decided at state level, not federal– Civil issue, not criminal

Resources

http://www.spitzner.net/