honeypots correct

8/14/2019 Honeypots Correct

1/35

Honey PotHoney Pot

Presented ByPresented ByShubha JoshiShubha Joshi

M.Tech(CS)M.Tech(CS)

Be afraidBe veryafraid


2/35

Problems with internet

Why?


3/35

Problems

The Internet security is hard New attacks every day

Our computers are static targets What should we do?

The more you know about your enemy,the better you can protect yourself

Fake target?


4/35

Solutions? Air Attack

Real Fake

A Detected.


5/35

ContentsContents What are Honey pots?What are Honey pots? EtymologyEtymology

HistoryHistory

ClassificationClassification How do Honey pot work?How do Honey pot work?

AdvantagesAdvantages

DisadvantagesDisadvantages

HoneydHoneyd

Honey NetsHoney Nets

Google Hack Honey potGoogle Hack Honey pot

ConclusionConclusion


6/35

Honeypot What is it?Honeypot What is it?

A honeypot is an information system resource A honeypot is an information system resourcewhose value lies in unauthorized or illicit usewhose value lies in unauthorized or illicit use

of that resource.of that resource.

Has no production value; anything goingHas no production value; anything goingto/from a honeypot is likely a probe, attackto/from a honeypot is likely a probe, attack

or compromiseor compromise

Used for monitoring, detecting and analyzingUsed for monitoring, detecting and analyzingattacksattacks

Does not solve a specific problem. Instead,Does not solve a specific problem. Instead,

they are a highly flexible tool withthey are a highly flexible tool with

different applications to security.different applications to security.


7/35

Continue.Continue.

A trap set to detect and deflect attempts atA trap set to detect and deflect attempts atunauthorized use of information systems.unauthorized use of information systems.

It consist of a computer, data or a network site thatIt consist of a computer, data or a network site thatappears to be part of a network but which is actuallyappears to be part of a network but which is actuallyisolated & protected.isolated & protected.

Whatever they capture is supposed to be malicious &Whatever they capture is supposed to be malicious &unauthorized.unauthorized.


8/35

EtymologyEtymology

The term refer to the English childrens characterThe term refer to the English childrens characterWinnie-the-PoohWinnie-the-Pooh

During the cold war it was a technique which inspiredDuring the cold war it was a technique which inspiredspy fiction.spy fiction.

It is a reflection of the sarcastic term for outhousesIt is a reflection of the sarcastic term for outhousesand other methods of collecting human waste in placesand other methods of collecting human waste in placesthat lack indoor plumbing.that lack indoor plumbing.


9/35

History of Honeypots 1990/1991 The Cuckoos Egg (Clifford Stoll) and

Evening with Berferd (Bell Cheswick)

1997 - Deception Toolkit

It is one of the original & landmark honey pots. Itis generally a collection of PERL scripts designed

for UNIX system 1998 - CyberCop Sting

It is a component of the CyberCop intrusionprotection software family which runs on NT. It isreferred as decoy server as it can emulate a big

network containing several different types ofnetwork devices.

1998 - NetFacade (and Snort)

It has same functionality as Cybercop but in a muchlarger space.


10/35

Continue.Continue.

1998 1998 Back Officer FriendlyBack Officer FriendlyIt runs in Windows and was free thus giving moreIt runs in Windows and was free thus giving morepeople access to Honey pot Technology.people access to Honey pot Technology.

1999 -1999 - Formation of the Honey net ProjectFormation of the Honey net Project

A group of people led by A group of people led by Lance SpitznerLance Spitzner, form this, form this

project which is dedicated to researching the blackproject which is dedicated to researching the blackhat community and to share their work to others.hat community and to share their work to others.

2003 2003 Some Honey pot ToolsSome Honey pot Tools

Snort-Inline 12:Snort-Inline 12: used not only to detect but also toused not only to detect but also toblock & disable attack.block & disable attack.

Sebek:Sebek: used to capture hacker activities by loggingused to capture hacker activities by loggingtheir keystrokes.their keystrokes.

Virtual Honey nets:Virtual Honey nets: used to deploy multiple honeyused to deploy multiple honeynets with just one computer.nets with just one computer.


11/35

ClassificationClassification

By level of interactionBy level of interaction

HighHigh

LowLow

By ImplementationBy Implementation VirtualVirtual

PhysicalPhysical

By purposeBy purpose

ProductionProduction

ResearchResearch


12/35

Level of InteractionLevel of Interaction

Interaction defines the level of activity a honeyInteraction defines the level of activity a honey

pot allows an attackerpot allows an attacker

Low InteractionLow Interaction

Simulates some aspects of the systemSimulates some aspects of the system

Easy to deploy, minimal riskEasy to deploy, minimal risk

Limited InformationLimited Information

HoneydHoneyd

High InteractionHigh Interaction

Simulates all aspects of the OS: realSimulates all aspects of the OS: realsystemssystems

Can be compromised completely, higher riskCan be compromised completely, higher risk

More InformationMore Information

Honey-netHoney-net


13/35

Level of InteractionLevel of Interaction

Operating system

FakeD

aemon

Disk

Other

local

resource

Low

High

Diff b/ L & Hi hDiff b/ L & Hi h


14/35

Difference b/w Low & HighDifference b/w Low & High

InteractionInteractionLow-interactionSolution emulatesoperating systems andservices. Easy to install anddeploy. Usually requiressimply installing and

configuring software on acomputer. Minimal risk, as theemulated services controlwhat attackers can and

cannot do.Captures limitedamounts of information,mainly transactional dataand some limitedinteraction.

High-interaction

No emulation, realoperating systems andservices are provided.Can capture far moreinformation, includingnew tools,

communications, orattacker keystrokes.Can be complex toinstall or deploy(commercial versions tend

to be much simpler).Increased risk, asattackers are providedreal operating systems tointeract with


15/35

ys ca . . r uay . .HoneypotsHoneypots

Two typesTwo types

PhysicalPhysical

Real machinesReal machines

Own IP AddressesOwn IP Addresses

Often high-interactiveOften high-interactive VirtualVirtual

Simulated by other machines that:Simulated by other machines that:

Respond to the traffic sent to the honeypotsRespond to the traffic sent to the honeypots

May simulate a lot of (different) virtualMay simulate a lot of (different) virtual

honeypots at the same timehoneypots at the same time


16/35

Production Honey Pots : Protect theProduction Honey Pots : Protect the

systemssystems

Production Honey pots are systems that are used inProduction Honey pots are systems that are used in

organization to mitigate risk. They helps inorganization to mitigate risk. They helps in

securing systems & network.securing systems & network.

The security has been divided into threeThe security has been divided into threecategories:categories:

PreventionPrevention

Keeping the bad guys outKeeping the bad guys out

not effective prevention mechanisms.not effective prevention mechanisms. Deception, Deterence, Decoys do NOT workDeception, Deterence, Decoys do NOT work

against automated attacks: worms, auto-against automated attacks: worms, auto-

rooters.rooters.


17/35

Continue..Continue..

DetectionDetection

Detecting the attacker when he breaks in.Detecting the attacker when he breaks in.

Great workGreat work

ResponseResponse

Can easily be pulled offlineCan easily be pulled offline

Little to no data pollutionLittle to no data pollution


18/35

Research HPs: gatheringResearch HPs: gathering

informationinformationThey capture extensive information and are usedThey capture extensive information and are usedprimarily by research, military, governmentprimarily by research, military, government

organization. They can be used as:organization. They can be used as:

To capture automated threats, such as worms or auto-To capture automated threats, such as worms or auto-

rootersrooters

To Discover new Tools and TacticsTo Discover new Tools and Tactics

As an early warning mechanism, predicting when futureAs an early warning mechanism, predicting when future

attacks will happenattacks will happen

To better understand attackers' motives andTo better understand attackers' motives and

organizationorganization

Develop Analysis and Forensic SkillsDevelop Analysis and Forensic Skills

To capture unknown tools or techniquesTo capture unknown tools or techniques


19/35

HoneyPot A

Gateway

Attackers

Attack Data

How do HPs work?

PreventDetect

Response

Monitor

No connection


20/35

AdvantagesAdvantages

Small data sets of high valueSmall data sets of high value

New tools and tacticsNew tools and tactics

Minimal resourcesMinimal resources InformationInformation

SimplicitySimplicity


21/35

DisadvantagesDisadvantages

Limited viewLimited view:: They can only track and captureThey can only track and capture

activity that directly interacts with themactivity that directly interacts with them

Risk:Risk: They have the risk of being taken over byThey have the risk of being taken over bythe bad guy and being used to harm other systemsthe bad guy and being used to harm other systems


22/35

HoneydHoneyd

A virtual honey pot application, which allows us toA virtual honey pot application, which allows us to

create thousands of IP addresses with virtual machinescreate thousands of IP addresses with virtual machines

and corresponding network services.and corresponding network services.

ItIt is open source software released under GNU Generalis open source software released under GNU GeneralPublic License.Public License.

It is able to simulate big network on a single host.It is able to simulate big network on a single host.

It provide simple functionality.It provide simple functionality.


23/35

Working of HoneydWorking of Honeyd


24/35

HoneyHoney

netnet


25/35

What is a HoneynetWhat is a Honeynet

A Honey net are prime example of High-InteractionA Honey net are prime example of High-Interactionhoney pots. It is basically an architecture, anhoney pots. It is basically an architecture, an

entire network of computers designed to beentire network of computers designed to be

attacked.attacked.

It is an architecture, not a product or software.It is an architecture, not a product or software. Once compromised, data is collected to learn theOnce compromised, data is collected to learn the

tools, tactics, and motives of the blackhattools, tactics, and motives of the blackhat

community.community.

Populate with real systems.Populate with real systems.

High-interaction honey pot designed to:High-interaction honey pot designed to:

capture in-depthcapture in-depth informationinformation

learn who would like to use yourlearn who would like to use your

system without your permissionsystem without your permission


26/35

How it worksHow it works

A highly controlled network where every packetA highly controlled network where every packet

entering or leaving is monitored, captured, andentering or leaving is monitored, captured, and

analyzed.analyzed.

Any traffic entering or leaving the Honeynet isAny traffic entering or leaving the Honeynet is

suspect by nature.suspect by nature.


27/35

Honey-net ArchitectureHoney-net Architecture

The key to the honey net architecture is HoneyThe key to the honey net architecture is Honeywall. This is a gateway device that separates yourwall. This is a gateway device that separates your

honey pots from the rest of the world.honey pots from the rest of the world.

Any traffic going to or from the honey pots must goAny traffic going to or from the honey pots must gothrough the honey wall.through the honey wall.

This gateway is traditionally a layer 2 bridgingThis gateway is traditionally a layer 2 bridgingdevice, meaning the device should be invisible todevice, meaning the device should be invisible to

anyone interacting with the honey pots.anyone interacting with the honey pots.


28/35


29/35

There are several key requirements that a honey wallThere are several key requirements that a honey wall

must implement:must implement:

Data Control:Data Control: defines how activity is contained withdefines how activity is contained with

the honey net without an attacker knowing it. Itsthe honey net without an attacker knowing it. Itspurpose is to minimize risk.purpose is to minimize risk.

Data Capture:Data Capture: It is capturing all of the attacker'sIt is capturing all of the attacker's

activity without the attacker knowing it.activity without the attacker knowing it.

Data Analysis:Data Analysis: It is the ability to analyze thisIt is the ability to analyze this

datadata Data Collection:Data Collection: It is the ability to collect dataIt is the ability to collect data

from multiple honey nets to a single source.from multiple honey nets to a single source.

Of all these requirements, Data Control is the moreOf all these requirements, Data Control is the more

important. Data Control always takes priority as itsimportant. Data Control always takes priority as its

role is to mitigate risk.role is to mitigate risk.


30/35


31/35

Risk & IssuesRisk & Issues

In reference to risk, there are four general areasIn reference to risk, there are four general areaswe will cover;we will cover;

Harm :Harm :when a honey net is used to attack or harmwhen a honey net is used to attack or harm

other, non-honey net systems.other, non-honey net systems.

Detection:Detection: Once the true identity of a honey netOnce the true identity of a honey nethas been identified, its value is dramaticallyhas been identified, its value is dramatically

reducedreduced

Disabling:Disabling: Attackers may want to not only detectAttackers may want to not only detect

a honey net's identity, but disable its Dataa honey net's identity, but disable its Data

Control or Data Capture capabilitiesControl or Data Capture capabilities

Violation:Violation: Attackers may attempt criminalAttackers may attempt criminal

activity from your compromised honey net withoutactivity from your compromised honey net without

actually attacking anyone outside your honey net.actually attacking anyone outside your honey net.


32/35

Whats The Difference b/wWhats The Difference b/w

honeypot & Honeynethoneypot & Honeynet

Honeypots use known vulnerabilities to attractHoneypots use known vulnerabilities to attract

attackers.attackers.

Configure a single system with special software orConfigure a single system with special software or

system emulationssystem emulations

Want to find out actively who is attacking theWant to find out actively who is attacking the

systemsystem

Honeynets are networks open to attackHoneynets are networks open to attack

Often use default installations of system softwareOften use default installations of system software

Capture extensive amount of informationCapture extensive amount of information

Basically a collection of Honey potsBasically a collection of Honey pots


33/35

Google Hack HoneypotGoogle Hack Honeypot

Google Hack Honey potGoogle Hack Honey potemulates a vulnerableemulates a vulnerableweb application byweb application byallowing itself to beallowing itself to beindexed by searchindexed by searchengines.engines.

It's hidden fromIt's hidden fromcasual page viewers,casual page viewers,but is found throughbut is found throughthe use of a crawlerthe use of a crawler

or search engine.or search engine. The transparent linkThe transparent link

will reduce falsewill reduce falsepositives.positives.


34/35


35/35

ThanksThanks

Queries??Queries??

honeypots correct

Documents