Honeypots and Honeynets
Post on 31-Dec-2015
32 Views
Preview:
DESCRIPTION
Transcript
Honeypots and HoneynetsHoneypots and HoneynetsSource: The HoneyNet Project http://www.honeynet.org/
Mehedy Masud
September 16, 2009
Why HoneyPotsWhy HoneyPots A great deal of the security profession
and the IT world depend on honeypots. Honeypots◦ Build anti-virus signatures.◦ Build SPAM signatures and filters.◦ ISP’s identify compromised systems.◦ Assist law-enforcement to track criminals.◦ Hunt and shutdown botnets.◦ Malware collection and analysis.
What are HoneypotsWhat are HoneypotsHoneypots are real or emulated
vulnerable systems ready to be attacked.
Primary value of honeypots is to collect information.
This information is used to better identify, understand and protect against threats.
Honeypots add little direct value to protecting your network.
Types of HoneyPotTypes of HoneyPotServer: Put the honeypot on the
Internet and let the bad guys come to you.
Client: Honeypot initiates and interacts with servers
Other: Proxies
Types of HoneyPotTypes of HoneyPotLow-interaction
◦ Emulates services, applications, and OS’s.◦ Low risk and easy to deploy/maintain, but
capture limited information.
High-interaction◦ Real services, applications, and OS’s◦ Capture extensive information, but high
risk and time intensive to maintain.
Types of HoneyPotTypes of HoneyPotProduction
◦ Easy to use/deploy◦ Capture limited information◦ Mainly used by companies/corporations◦ Placed inside production network w/other
servers◦ Usually low interaction
Research◦ Complex to maintain/deploy◦ Capture extensive information◦ Primarily used for research, military, or govt.
orgs
Examples Of HoneypotsExamples Of Honeypots
BackOfficer FriendlyKFSensorHoneydHoneynets
Low Interaction
High Interaction
HoneynetsHoneynetsHigh-interaction honeypot designed to
capture in-depth information.Information has different value to
different organizations.Its an architecture you populate with
live systems, not a product or software.
Any traffic entering or leaving is suspect.
How It WorksHow It Works A highly controlled network where
every packet entering or leaving is monitored, captured, and analyzed.◦ Data Control◦ Data Capture◦ Data Analysis
Data ControlData Control• Mitigate risk of honeynet being used to
harm non-honeynet systems.• Count outbound connections.• IPS (Snort-Inline)• Bandwidth Throttling
Data ControlData Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
Data CaptureData CaptureCapture all activity at a variety of
levels.Network activity.Application activity.System activity.
SebekSebekHidden kernel module that
captures all host activityDumps activity to the network.Attacker cannot sniff any traffic
based on magic number and dst port.
Honeywall CDROMHoneywall CDROMAttempt to combine all
requirements of a Honeywall onto a single, bootable CDROM.
May, 2003 - Released EeyoreMay, 2005 - Released Roo
Roo Honeywall CDROMRoo Honeywall CDROMBased on Fedora Core 3Vastly improved hardware and
international support.Automated, headless installationNew Walleye interface for web based
administration and data analysis.Automated system updating.
InstallationInstallationJust insert CDROM and boot, it installs
to local hard drive.After it reboots for the first time, it
runs a hardening script based on NIST and CIS security standards.
Following installation, you get a command prompt and system is ready to configure.
Network TelescopeNetwork TelescopeAlso known as a darknet, internet motion
sensor or black hole Allows one to observe different large-scale
events taking place on the Internet. The basic idea is to observe traffic targeting the
dark (unused) address-space of the network.Since all traffic to these addresses is suspicious,
one can gain information about possible network attacks ◦ random scanning worms, and DDoS backscatter
As well as other misconfigurations by observing it.
HoneytokenHoneytokenhoneytokens are honeypots that are not
computer systems. Their value lies not in their use, but in their
abuse. As such, they are a generalization of such ideas
as the honeypot and the canary values often used in stack protection schemes.
Honeytokens can exist in almost any form, ◦ from a dead, fake account to a ◦ database entry that would only be selected by malicious
queries, ◦ making the concept ideally suited to ensuring data integrity—
any use of them is inherently suspicious if not necessarily malicious.
HoneytokenHoneytokenIn general, they don't necessarily
prevent any tampering with the data, ◦ but instead give the administrator a further
measure of confidence in the data integrity.An example of a honeytoken is a fake
email address used to track if a mailing list has been stolen
HoneymonkeyHoneymonkeyHoneyMonkey,
◦ short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot.
The implementation uses a network of computers ◦ to crawl the World Wide Web searching for websites that use
browser exploits to install malware on the HoneyMonkey computer.
◦ A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site.
◦ After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot.
◦ The changes are analyzed to determine whether the visited site installed malware onto the honeypot computer.
HoneymonkeyHoneymonkeyHoneyMonkey is based on the honeypot
concept, with the difference that it actively seeks websites that try to exploit it.
The term was coined by Microsoft Research in 2005.
With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.
TarpitTarpitA tarpit (also known as Teergrube, the
German word for tarpit) is a service on a computer system (usually a server) that delays incoming connections for as long as possible.
The technique was developed as a defense against a computer worm, and
the idea is that network abuses such as spamming or broad scanning are less effective if they take too long.
The name is analogous with a tar pit, in which animals can get bogged down and slowly sink under the surface.
top related