introduction to honeypots
DESCRIPTION
Edgis Sharing Session – Introduction to Honeypots at Whitehat Society, Singapore Management University September 2012 at Computing Society, Royal Holloway, University of London February 2013TRANSCRIPT
Emil Tan
Team Lead, Co-Founder
http://edgis-security.org
@EdgisSecurity
Research Guide
http://honeynet.sg
Introduction to Honeypots
The Honeynet Project.
The Honeynet Project is a leading international 501c3 non-profit
security research organisation, dedicated to investigating the latest
attacks and developing open source security tools to improve
Internet security.
Founded in 1999, The Honeynet Project has contributed to fight
against malware and malicious hacking attacks and has the leading
security professional among members and alumni.
Website: http://www.honeynet.org/ http://www.honeynet.sg
Agenda.
What is honeypot.
What types of honeypot are there.
Introduction to honeypot tools.
How to deploy them.
Deployment considerations.
Operational considerations.
Governance considerations.
Legal considerations.
What is honeypot. Information system resources which has no production
values.
It values lies in unauthorised or illicit use of that resource.
It values lies in being probed, attacked, or compromised.
-- Spitzner
Intelligence gathering
Analyse trends / behaviours; Know your enemy.
Decoy / Bait
Types of honeypot.
High interaction:
An actual machine.
Rich content; Fully emulated shells; Fully replicated services.
Low interaction:
A program.
Emulate specific services; limited interactivities.
Honeytoken
Hybrid
Honeypot tools. High interaction:
De facto security tools (NIDS, HIDS, etc)
In-depth Data Capture tools (Sebek, Qebek, Capture-HPC).
Egress Traffic Control (Snort Inline, iptables)
Perimeter – Honeywall (Roo)
Web Application – Glastopf
SSL Proxy & Traffic Analyser – HoneyProxy
USB Malware – Ghost USB
Low interactions: De facto low interaction – Honeyd
Common ports – Tiny Honeypot
Malware – Dionaea (… Honeytrap?)
Web Application – Glastopf
USB Malware – Ghost USB
SSH – Kippo, Kojoney
Blacklisting – Honeyports
Kojoney.
Low interaction SSH honeypot.
Emulate SSH service.
Kojoney Logs.
Kojoney Reports.
Tiny Honeypot.
Written by George Bakos
Alpinista.org
Low interaction honeypot.
Based on iptables and xinetd listener.
Emulate well-known services:
HTTP
FTP
Honeytrap.
Written by Tillmann Werner.
Low interaction Malware collection honeypot.
Dynamic reaction to incoming traffics:
Pcap-based sniffer
IP_Queue interface
Deployment & Considerations.
More Considerations
Roles and Responsibilities
Deployment Considerations
High or low interaction What do you want from your honeypots?
Honeypot tools What do you want from your honeypots?
Placed in internal or external networks What do you want from your honeypots?
Configuration of your honeypots.
Physical or virtual environment Costs & Maintenance
Dynamics / Programmability Nature of the dynamics
Level of vulnerability What do you want from your honeypots?
Legal considerations