Honeynets and Honeypots: Companion Technology for Detection and Response Cristine Hoepers [email protected]NIC BR Security Office – NBSO Brazilian Computer Emergency Response Team http://www.nbso.nic.br/ Honeynet.BR & Brazilian Honeypots Alliance http://www.honeynet.org.br/ AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.1/41
41
Embed
Honeynets and Honeypots: Companion Technology for ... · Overview • Some definitions • Types of Honeypots – differences – possible uses • Types of data gathered – in
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Honeynets and Honeypots:Companion Technology for Detection
– in a Honeynet– in a network of distributed honeypots
• Additional Information
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.2/41
Honeypot Definition
“A honeypot is a security resource whosevalue lies in being probed, attacked orcompromised.”
Lance Spitzner,Honeypots: Tracking Hackers.
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.3/41
Advantages
• There is no “normal” traffic. Everything issuspicious and potentially malicious.
• Less data to analyse than in IDS systems
• Can provide valuable information aboutattackers
• Can capture new types of malware
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.4/41
Disadvantages
• There are potential risks for your network(depending on the type)
• Can be time consuming to maintain
• Narrow view – sees only what is directed to it
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.5/41
What honeypots aren’t
• Honeypots are not replacements for:
– security best practices
– security policies
– firewalls
– IDS
– patch management
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.6/41
Types of Honeypots
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.7/41
Low-interaction Honeypots
• Easy to install and maintain
• Low risk
• Limited information gathering
• Examples:
– listeners, service emulators, honeyd, TinyHoneypot.
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.8/41
Low-Interaction Honeypots (cont.)
• Emulate some parts of services and systems
• The attacker does not have access to the realoperating system
• The attacker can’t compromise the honeypot(in theory)
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.9/41
High-interaction Honeypots
• More difficult to install and maintain
• High risk
• Need containment mechanisms
• Extensive information gathering
• Example:
– honeynets, virtual honeynets
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.10/41
Honeynet Definition (1)
“A Honeynet is nothing more than onetype of honeypot. Specifically, it is a highinteraction honeypot designed primarily forresearch, to gather information on theenemy. [...] A Honeynet is different fromtraditional honeypots, it is what we wouldcategorize as a research honeypot.”
Lance Spitzner,Know Your Enemy: Honeynets
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.11/41
Honeynet Definition (2)
“A honeynet is a research tool consistingof a network specifically designed for thepurpose of being compromised, withcontrol mechanisms that prevent thisnetwork from being used as a base forlaunching attacks against other networks.”
Cristine Hoepers, Klaus Steding-Jessen, Antonio Montes,Honeynets Applied to the CSIRT Scenario
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.12/41
Honeynets Characteristics
• A network of multiple systems andapplications
• Robust containment mechanism
– may have multiple layers of control
– sometimes called “honeywall”
• Data capture and alerting mechanisms
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.13/41
Honeynet Requirements
• No data pollution (i.e. no test or trafficgenerated by non-blackhats)
• Data control
• Data capture
• Data collection
• Alerting mechanism
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.14/41
Risks
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.15/41
Low-Interaction Honeypots Risks
• Compromise of the real operating systemrunning the honeypot
• The honeypot software may havevulnerabilities
• Attract attackers to your network
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.16/41
Honeynets Risks
• A mistake in containment or configuration can
– permit your honeynet to be used to harmother networks
– open a port to your organization’s network
• A compromise associated with yourorganization can affect its image
• Your honeynet being identified
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.17/41
Honeynets Risks (cont.)
Why they are so risky:
• Level of interaction – the attacker has fullcontrol of the machine
• Complex to deploy and maintain
– variety of technologies working together
– multiple points of failure
• New attacks and unexpected threats may notbe contained or seen
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.18/41
Possible Uses
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.19/41