honeypots correct
TRANSCRIPT
-
8/14/2019 Honeypots Correct
1/35
Honey PotHoney Pot
Presented ByPresented ByShubha JoshiShubha Joshi
M.Tech(CS)M.Tech(CS)
Be afraidBe veryafraid
-
8/14/2019 Honeypots Correct
2/35
Problems with internet
Why?
-
8/14/2019 Honeypots Correct
3/35
Problems
The Internet security is hard New attacks every day
Our computers are static targets What should we do?
The more you know about your enemy,the better you can protect yourself
Fake target?
-
8/14/2019 Honeypots Correct
4/35
Solutions? Air Attack
Real Fake
A Detected.
-
8/14/2019 Honeypots Correct
5/35
ContentsContents What are Honey pots?What are Honey pots? EtymologyEtymology
HistoryHistory
ClassificationClassification How do Honey pot work?How do Honey pot work?
AdvantagesAdvantages
DisadvantagesDisadvantages
HoneydHoneyd
Honey NetsHoney Nets
Google Hack Honey potGoogle Hack Honey pot
ConclusionConclusion
-
8/14/2019 Honeypots Correct
6/35
Honeypot What is it?Honeypot What is it?
A honeypot is an information system resource A honeypot is an information system resourcewhose value lies in unauthorized or illicit usewhose value lies in unauthorized or illicit use
of that resource.of that resource.
Has no production value; anything goingHas no production value; anything goingto/from a honeypot is likely a probe, attackto/from a honeypot is likely a probe, attack
or compromiseor compromise
Used for monitoring, detecting and analyzingUsed for monitoring, detecting and analyzingattacksattacks
Does not solve a specific problem. Instead,Does not solve a specific problem. Instead,
they are a highly flexible tool withthey are a highly flexible tool with
different applications to security.different applications to security.
-
8/14/2019 Honeypots Correct
7/35
Continue.Continue.
A trap set to detect and deflect attempts atA trap set to detect and deflect attempts atunauthorized use of information systems.unauthorized use of information systems.
It consist of a computer, data or a network site thatIt consist of a computer, data or a network site thatappears to be part of a network but which is actuallyappears to be part of a network but which is actuallyisolated & protected.isolated & protected.
Whatever they capture is supposed to be malicious &Whatever they capture is supposed to be malicious &unauthorized.unauthorized.
-
8/14/2019 Honeypots Correct
8/35
EtymologyEtymology
The term refer to the English childrens characterThe term refer to the English childrens characterWinnie-the-PoohWinnie-the-Pooh
During the cold war it was a technique which inspiredDuring the cold war it was a technique which inspiredspy fiction.spy fiction.
It is a reflection of the sarcastic term for outhousesIt is a reflection of the sarcastic term for outhousesand other methods of collecting human waste in placesand other methods of collecting human waste in placesthat lack indoor plumbing.that lack indoor plumbing.
-
8/14/2019 Honeypots Correct
9/35
History of Honeypots 1990/1991 The Cuckoos Egg (Clifford Stoll) and
Evening with Berferd (Bell Cheswick)
1997 - Deception Toolkit
It is one of the original & landmark honey pots. Itis generally a collection of PERL scripts designed
for UNIX system 1998 - CyberCop Sting
It is a component of the CyberCop intrusionprotection software family which runs on NT. It isreferred as decoy server as it can emulate a big
network containing several different types ofnetwork devices.
1998 - NetFacade (and Snort)
It has same functionality as Cybercop but in a muchlarger space.
-
8/14/2019 Honeypots Correct
10/35
Continue.Continue.
1998 1998 Back Officer FriendlyBack Officer FriendlyIt runs in Windows and was free thus giving moreIt runs in Windows and was free thus giving morepeople access to Honey pot Technology.people access to Honey pot Technology.
1999 -1999 - Formation of the Honey net ProjectFormation of the Honey net Project
A group of people led by A group of people led by Lance SpitznerLance Spitzner, form this, form this
project which is dedicated to researching the blackproject which is dedicated to researching the blackhat community and to share their work to others.hat community and to share their work to others.
2003 2003 Some Honey pot ToolsSome Honey pot Tools
Snort-Inline 12:Snort-Inline 12: used not only to detect but also toused not only to detect but also toblock & disable attack.block & disable attack.
Sebek:Sebek: used to capture hacker activities by loggingused to capture hacker activities by loggingtheir keystrokes.their keystrokes.
Virtual Honey nets:Virtual Honey nets: used to deploy multiple honeyused to deploy multiple honeynets with just one computer.nets with just one computer.
-
8/14/2019 Honeypots Correct
11/35
ClassificationClassification
By level of interactionBy level of interaction
HighHigh
LowLow
By ImplementationBy Implementation VirtualVirtual
PhysicalPhysical
By purposeBy purpose
ProductionProduction
ResearchResearch
-
8/14/2019 Honeypots Correct
12/35
Level of InteractionLevel of Interaction
Interaction defines the level of activity a honeyInteraction defines the level of activity a honey
pot allows an attackerpot allows an attacker
Low InteractionLow Interaction
Simulates some aspects of the systemSimulates some aspects of the system
Easy to deploy, minimal riskEasy to deploy, minimal risk
Limited InformationLimited Information
HoneydHoneyd
High InteractionHigh Interaction
Simulates all aspects of the OS: realSimulates all aspects of the OS: realsystemssystems
Can be compromised completely, higher riskCan be compromised completely, higher risk
More InformationMore Information
Honey-netHoney-net
-
8/14/2019 Honeypots Correct
13/35
Level of InteractionLevel of Interaction
Operating system
FakeD
aemon
Disk
Other
local
resource
Low
High
Diff b/ L & Hi hDiff b/ L & Hi h
-
8/14/2019 Honeypots Correct
14/35
Difference b/w Low & HighDifference b/w Low & High
InteractionInteractionLow-interactionSolution emulatesoperating systems andservices. Easy to install anddeploy. Usually requiressimply installing and
configuring software on acomputer. Minimal risk, as theemulated services controlwhat attackers can and
cannot do.Captures limitedamounts of information,mainly transactional dataand some limitedinteraction.
High-interaction
No emulation, realoperating systems andservices are provided.Can capture far moreinformation, includingnew tools,
communications, orattacker keystrokes.Can be complex toinstall or deploy(commercial versions tend
to be much simpler).Increased risk, asattackers are providedreal operating systems tointeract with
-
8/14/2019 Honeypots Correct
15/35
ys ca . . r uay . .HoneypotsHoneypots
Two typesTwo types
PhysicalPhysical
Real machinesReal machines
Own IP AddressesOwn IP Addresses
Often high-interactiveOften high-interactive VirtualVirtual
Simulated by other machines that:Simulated by other machines that:
Respond to the traffic sent to the honeypotsRespond to the traffic sent to the honeypots
May simulate a lot of (different) virtualMay simulate a lot of (different) virtual
honeypots at the same timehoneypots at the same time
-
8/14/2019 Honeypots Correct
16/35
Production Honey Pots : Protect theProduction Honey Pots : Protect the
systemssystems
Production Honey pots are systems that are used inProduction Honey pots are systems that are used in
organization to mitigate risk. They helps inorganization to mitigate risk. They helps in
securing systems & network.securing systems & network.
The security has been divided into threeThe security has been divided into threecategories:categories:
PreventionPrevention
Keeping the bad guys outKeeping the bad guys out
not effective prevention mechanisms.not effective prevention mechanisms. Deception, Deterence, Decoys do NOT workDeception, Deterence, Decoys do NOT work
against automated attacks: worms, auto-against automated attacks: worms, auto-
rooters.rooters.
-
8/14/2019 Honeypots Correct
17/35
Continue..Continue..
DetectionDetection
Detecting the attacker when he breaks in.Detecting the attacker when he breaks in.
Great workGreat work
ResponseResponse
Can easily be pulled offlineCan easily be pulled offline
Little to no data pollutionLittle to no data pollution
-
8/14/2019 Honeypots Correct
18/35
Research HPs: gatheringResearch HPs: gathering
informationinformationThey capture extensive information and are usedThey capture extensive information and are usedprimarily by research, military, governmentprimarily by research, military, government
organization. They can be used as:organization. They can be used as:
To capture automated threats, such as worms or auto-To capture automated threats, such as worms or auto-
rootersrooters
To Discover new Tools and TacticsTo Discover new Tools and Tactics
As an early warning mechanism, predicting when futureAs an early warning mechanism, predicting when future
attacks will happenattacks will happen
To better understand attackers' motives andTo better understand attackers' motives and
organizationorganization
Develop Analysis and Forensic SkillsDevelop Analysis and Forensic Skills
To capture unknown tools or techniquesTo capture unknown tools or techniques
-
8/14/2019 Honeypots Correct
19/35
HoneyPot A
Gateway
Attackers
Attack Data
How do HPs work?
PreventDetect
Response
Monitor
No connection
-
8/14/2019 Honeypots Correct
20/35
AdvantagesAdvantages
Small data sets of high valueSmall data sets of high value
New tools and tacticsNew tools and tactics
Minimal resourcesMinimal resources InformationInformation
SimplicitySimplicity
-
8/14/2019 Honeypots Correct
21/35
DisadvantagesDisadvantages
Limited viewLimited view:: They can only track and captureThey can only track and capture
activity that directly interacts with themactivity that directly interacts with them
Risk:Risk: They have the risk of being taken over byThey have the risk of being taken over bythe bad guy and being used to harm other systemsthe bad guy and being used to harm other systems
-
8/14/2019 Honeypots Correct
22/35
HoneydHoneyd
A virtual honey pot application, which allows us toA virtual honey pot application, which allows us to
create thousands of IP addresses with virtual machinescreate thousands of IP addresses with virtual machines
and corresponding network services.and corresponding network services.
ItIt is open source software released under GNU Generalis open source software released under GNU GeneralPublic License.Public License.
It is able to simulate big network on a single host.It is able to simulate big network on a single host.
It provide simple functionality.It provide simple functionality.
-
8/14/2019 Honeypots Correct
23/35
Working of HoneydWorking of Honeyd
-
8/14/2019 Honeypots Correct
24/35
HoneyHoney
netnet
-
8/14/2019 Honeypots Correct
25/35
What is a HoneynetWhat is a Honeynet
A Honey net are prime example of High-InteractionA Honey net are prime example of High-Interactionhoney pots. It is basically an architecture, anhoney pots. It is basically an architecture, an
entire network of computers designed to beentire network of computers designed to be
attacked.attacked.
It is an architecture, not a product or software.It is an architecture, not a product or software. Once compromised, data is collected to learn theOnce compromised, data is collected to learn the
tools, tactics, and motives of the blackhattools, tactics, and motives of the blackhat
community.community.
Populate with real systems.Populate with real systems.
High-interaction honey pot designed to:High-interaction honey pot designed to:
capture in-depthcapture in-depth informationinformation
learn who would like to use yourlearn who would like to use your
system without your permissionsystem without your permission
-
8/14/2019 Honeypots Correct
26/35
How it worksHow it works
A highly controlled network where every packetA highly controlled network where every packet
entering or leaving is monitored, captured, andentering or leaving is monitored, captured, and
analyzed.analyzed.
Any traffic entering or leaving the Honeynet isAny traffic entering or leaving the Honeynet is
suspect by nature.suspect by nature.
-
8/14/2019 Honeypots Correct
27/35
Honey-net ArchitectureHoney-net Architecture
The key to the honey net architecture is HoneyThe key to the honey net architecture is Honeywall. This is a gateway device that separates yourwall. This is a gateway device that separates your
honey pots from the rest of the world.honey pots from the rest of the world.
Any traffic going to or from the honey pots must goAny traffic going to or from the honey pots must gothrough the honey wall.through the honey wall.
This gateway is traditionally a layer 2 bridgingThis gateway is traditionally a layer 2 bridgingdevice, meaning the device should be invisible todevice, meaning the device should be invisible to
anyone interacting with the honey pots.anyone interacting with the honey pots.
-
8/14/2019 Honeypots Correct
28/35
-
8/14/2019 Honeypots Correct
29/35
There are several key requirements that a honey wallThere are several key requirements that a honey wall
must implement:must implement:
Data Control:Data Control: defines how activity is contained withdefines how activity is contained with
the honey net without an attacker knowing it. Itsthe honey net without an attacker knowing it. Itspurpose is to minimize risk.purpose is to minimize risk.
Data Capture:Data Capture: It is capturing all of the attacker'sIt is capturing all of the attacker's
activity without the attacker knowing it.activity without the attacker knowing it.
Data Analysis:Data Analysis: It is the ability to analyze thisIt is the ability to analyze this
datadata Data Collection:Data Collection: It is the ability to collect dataIt is the ability to collect data
from multiple honey nets to a single source.from multiple honey nets to a single source.
Of all these requirements, Data Control is the moreOf all these requirements, Data Control is the more
important. Data Control always takes priority as itsimportant. Data Control always takes priority as its
role is to mitigate risk.role is to mitigate risk.
-
8/14/2019 Honeypots Correct
30/35
-
8/14/2019 Honeypots Correct
31/35
Risk & IssuesRisk & Issues
In reference to risk, there are four general areasIn reference to risk, there are four general areaswe will cover;we will cover;
Harm :Harm :when a honey net is used to attack or harmwhen a honey net is used to attack or harm
other, non-honey net systems.other, non-honey net systems.
Detection:Detection: Once the true identity of a honey netOnce the true identity of a honey nethas been identified, its value is dramaticallyhas been identified, its value is dramatically
reducedreduced
Disabling:Disabling: Attackers may want to not only detectAttackers may want to not only detect
a honey net's identity, but disable its Dataa honey net's identity, but disable its Data
Control or Data Capture capabilitiesControl or Data Capture capabilities
Violation:Violation: Attackers may attempt criminalAttackers may attempt criminal
activity from your compromised honey net withoutactivity from your compromised honey net without
actually attacking anyone outside your honey net.actually attacking anyone outside your honey net.
-
8/14/2019 Honeypots Correct
32/35
Whats The Difference b/wWhats The Difference b/w
honeypot & Honeynethoneypot & Honeynet
Honeypots use known vulnerabilities to attractHoneypots use known vulnerabilities to attract
attackers.attackers.
Configure a single system with special software orConfigure a single system with special software or
system emulationssystem emulations
Want to find out actively who is attacking theWant to find out actively who is attacking the
systemsystem
Honeynets are networks open to attackHoneynets are networks open to attack
Often use default installations of system softwareOften use default installations of system software
Capture extensive amount of informationCapture extensive amount of information
Basically a collection of Honey potsBasically a collection of Honey pots
-
8/14/2019 Honeypots Correct
33/35
Google Hack HoneypotGoogle Hack Honeypot
Google Hack Honey potGoogle Hack Honey potemulates a vulnerableemulates a vulnerableweb application byweb application byallowing itself to beallowing itself to beindexed by searchindexed by searchengines.engines.
It's hidden fromIt's hidden fromcasual page viewers,casual page viewers,but is found throughbut is found throughthe use of a crawlerthe use of a crawler
or search engine.or search engine. The transparent linkThe transparent link
will reduce falsewill reduce falsepositives.positives.
-
8/14/2019 Honeypots Correct
34/35
-
8/14/2019 Honeypots Correct
35/35
ThanksThanks
Queries??Queries??