Honeypots “The more you know about the enemy, the better you can protect about yourself” Rohan Rajeevan Srikanth Vanama Rakesh Akkera.

HoneypotsHoneypots

“The more you know about the enemy, the better you can protect about yourself”

Rohan Rajeevan Srikanth Vanama Rakesh Akkera

HoneypotsHoneypots

Oops !!

Definition(s)Definition(s)A honeypot is a

a decoy computer system designed to look like a legitimate system

A resource whose value is being in attacked or compromised.

Honeypots do not fix anything. They provide additional, valuable information

An intruder will want to break into while, unknown to the intruder, they are being covertly observed.

Like a hidden surveillance camera

Necessity of honeypotsNecessity of honeypots

For the following reasons, good data is needed about attacks:

Real threat data

Trend data

Statistical ExamplesStatistical Examples

℘ At the end of year 2000, the life expectancy of a default installation of Red Hat 6.2 was less than 72 hrs !

℘ One of the fastest recorded times a HoneyPot was compromised was 15 min.

℘ During an 11 month period (Apr 2000 – Mar 2001), there was a 100% increase in IDS alerts based on Snort.

℘ In the beginning of 2002, a home network was scanned on an average by three different systems a day.

HistoryHistory

1980s

US MILITARY traced cracker to Germany

Tracing consumed time

1st honeypot born

Primary ways of usagePrimary ways of usage

• Deceive

• Intimidate

• Reconnaissance.

HoneyPot A

Gateway

Attackers

Attack Data

How do HoneyPots How do HoneyPots work?work?

Prevent

Detect

Response

Monitor

No connection

Deployment strategiesDeployment strategies

Classification of Classification of honeypotshoneypots

Based on

Purpose

level of involvement

HoneypotsHoneypots

Based on purpose

Production

Research

HoneypotsHoneypots

Based on the level of involvement

Low

Middle

High

Level of InteractionLevel of Interaction

Operating system

Fake D

aemon

Disk

Other local resource

Low

Medium

High

PlacementPlacement

LocationsLocations

In front of firewall (Internet)

DMZ

Behind the firewall (Intranet)

Best location ?

CompatibilityCompatibility

Microsoft Windows

Unix Derivatives

AdvantagesAdvantages

Small Data Sets

Minimal Resources

Simplicity

Discovery of new tactics

Cost Effective

DisadvantagesDisadvantages Limited Vision

Inappropriate Response for new attacks

Not a perfect solution

Skilled analyst required

Requires high level of effort

Products in the marketProducts in the market

Symantec Decoy Server

LaBrea Tarpit

HoneyD

Future of honeypot technologiesFuture of honeypot technologies(Future on the good side…)(Future on the good side…)

Honeytokens

Wireless honeypots

SPAM honeypots

Honeypot farms

Search-engine honeypots

ConclusionConclusion

Only a best thief can become a best cop

A tool, not a solution !

Design fool proof security systems.

Wide areas of Usage

Growth is unbounded

Thanks for your (long) patience

and attention!

Any Queries ?!

Rohan Rajeevan

- Srikanth Vanama

- Rakesh Akkera