• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Honeypots
 

Honeypots

on

  • 2,190 views

Honeypots

Honeypots

Statistics

Views

Total Views
2,190
Views on SlideShare
2,190
Embed Views
0

Actions

Likes
5
Downloads
188
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • good
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Honeypots Honeypots Document Transcript

    • Honeypots ZIANE Bilal Http://www.ZIANEBilal.com/2012/09/honeypots/
    • 1 Honeypot www.ZIANEBilal.com Honeypot 1. Definitions of Honeypots What is a Honeypot? The buzz word honeypot has created a great deal of confusion and miscommunication through the security community , due to the lack of a clear and simple definition. Some think a honeypot is an intrusion detection tool, others sees it as a jail or as a deception tool to lure hackers. These viewpoints of what a honeypot is have emerged a lot of misunderstandings. Therefore, a honeypot is a resource which pretends to be a real target. A honeypot is expected to be at-tacked or compromised. The main goals are the distraction of an attacker and the gain of information about the type of the attack and about the attacker, serving as an early-warning, thus, minimizing the risks on the real IT Systems and Network. Honeypots are typically virtual machines, designed to emulate real machines with fully running services, fooling the black hats without knowing they are covertly observed. In the one hand, Firewalls are designed to protect organizations by controlling the traffic flow, using them as an access control device to block unauthorized activities. In the other hand, Network Intrusion Detection Systems are designed to detect any malicious activity by monitoring the activity within the network. Identifying malicious activities and reporting them to the administrator. But the Honeypot seems to be different from the most security tools in that they can take on different manifestations. That’s to say the value of the honeypot resides in being attacked, and if the system is never probed then it has little or no value. Honeypots are flexible, resolving not only one specific issue. Instead, they are highly recommended for widely different situations, as alarming and warning sensors, by detecting (like IDS) deterring (like firewalls) attacks, capturing and analyzing automated attacks including worms.
    • 2 Honeypot www.ZIANEBilal.com How Honeypots Work Honeypots are security resources that have no production value; no person or resource should be communicating with them. Any activity sent their way is suspect. Any traffic initiated by the honeypot means the system has most likely been compromised. Any traffic sent to the honeypot is most likely a probe, scan, or attack. With a honeypot, nothing is expected. To better understand the concepts of honeypots, lets take a look at the following example of honeypot deployments. The purpose here is to demonstrate to you that honeypots can come in many different flavors, and they can achieve different things. However, they are both honeypots because they share the same definition and concepts. With the intent using systems as a honeypots, to determine if there is any unauthorized activity happening within your DMZ. Honeypots passively capture any traffic or activity that interacts with them.
    • 3 Honeypot www.ZIANEBilal.com 2. Types of Honeypots  Production/Research Honeypots: Honeypots are classified into two general categories: Production Honeypots and Research Honeypots. The production honeypots are easier to build and deploy than the research honeypots, besides their simplicity they have less risk. But, they give less information about the attacker and about the types of attacks as well. The research honeypots are designed to gain information about the black hat community with the aim of researching threats that the organization might face detecting who the attackers are, how they are organized, tolls they are using, in order to find out who the attackers are, and to understand how they are operating. Then we can progressively protect the environment based on those collected information. Security research companies, government agencies and universities are deploying research honeypots to help the security community secure their resources, and to learn about attackers who are they, how they take action, and what tools they use. Indeed, Honeynets are one example of the research honeypots.  Low/High Interactivity: High-interaction honeypots offer the adversary a full system to interact with. This means that the honeypot does not emulate any services, functionality, or base operating systems. Instead, it provides real systems and services, the same used in organizations today. Thus, the attacker can completely compromise the machine and take control of it. This allows you to learn more about the tools, tactics, and motives of the attacker and get a better understanding of the attacker community. Although these types of honeypots can give you deep insights into the routine procedures of an attacker, be warned: High-interaction honeypots can be a time- consuming yet fascinating hobby! Your personal computer can be considered a high- interaction honeypot.
    • 4 Honeypot www.ZIANEBilal.com This approach, however, has several drawbacks. After all, you do not want an attacker to have access to your private data or disrupt your work. Certainly you want to set up a machine that is dedicated for this task, using a virtual machineHigh-interaction honeypots have some risk. The attacker can abuse a honeypot he has compromised and start to attack other systems on the Internet. This could cause you both legal and ethical problems. Therefore, we need to safeguard the whole setup to mitigate risk. Low-interaction honeypots are fascinating for many different reasons. Many noncommercial solutions exist like LaBrea and Tiny Honeypot, and low-interaction honeypots are easy to set up. Even without much experience, you can set up a network of hundreds of low-interaction virtual honeypots in a short time.  Hybrid honeypots: When low-interaction systems are not powerful enough and high-interaction systems are too expensive, hybrid solutions offer the benefits of both worlds. Lets say we want to capture real worms on a class B network under our control. It would be too expensive to set up 65,000 real machines, but by combining principals of low-interaction honeypots with high-interaction honeypots, we can use the low- interaction honeypots as gateways to a few high-interaction machines. The low-interaction honeypots filter out noise and scanning attempts and ensure that only interesting connections are forwarded to a set of high-interaction machines. These high-interaction machines can run different operating systems, and by selectively forwarding connections from the low-interaction honeypots, we can mix and dice the different services available on the high-interaction systems. 3. Advantages of Honeypots  Simplicity and high flexibility The simpler a technology is, the less mistakes and misconfigurations there will be. And I consider that the biggest advantage of honeypots is their simplicity. Just drop it somewhere on the organization, then sit and wait. Some Honeypots can be more complex, especially the Research honeypots. They all operate on the same simple
    • 5 Honeypot www.ZIANEBilal.com premise: the simpler the concept, the more reliable it is. With complexity come misconfigurations, and failures. Honeypots can be used in a wide v ariety of environments, due to their high flexibility. They can vary from a simple social security number added to a database, to an entire network of computers designed to be broken into. It is this flexibility of honeypots that allows them to be used anywhere and to gather extensive information accordingly, especially against insider threats.  Data Value The amount of captured information every day, from firewall logs, Intrusion Detection alerts, system logs, would be very overwhelming, and extremely difficult to take advantage of it. Instead of logging Gigabytes of data every day, honeypots only capture bad activities (positive alerts), by reducing the noise and collecting only small data sets of information, with high value, most likely a scan, probe, or attack-information.  Minimal resources Running out of resources has become an issue among the security community, and since Honeypots require minimal resources, there are no resource limitations. Because they capture and monitor little activity, honeypots typically do not have problems of resource exhaustion. In the other hand, most IDS sensors have difficulty monitoring networks that have gigabits speed. The speed and volume of the traffic are too great for the sensor to analyze every packet. As a result, traffic is dropped and potential attacks are missed. A honeypot deployed on the same network does not share this problem. The honeypot only captures activities directed at itself, this is due to the fact that honeypots only capture bad activity; any interaction with a honeypot is most likely an unauthorized or malicious activity. That’s to say, the system is not overwhelmed by the traffic. Besides, no deal of money needs to be invested in hardware for deploying a Honeypot, the cheap old and unwanted Pentium computer, will do the work.
    • 6 Honeypot www.ZIANEBilal.com  Capture the new tools and attacks Honeypots are designed to capture anything thrown at them. This means they capture harmful methods and tools that have never been used before. This is unusual to any security system deployed before, like IDS, Firewalls, etc., all of which have to recognize and diagnose an activity before categorizing it as dangerous.  Return on Investment Honeypots quickly and repeatedly demonstrate their value. Whenever they are attacked, people know the bad guys are out there. By capturing unauthorized activity, honeypots can be used to justify not only their own value but investments in other security resources as well. When management perceives there are no threats, honeypots can effectively prove that a great deal of risk does exist. 4. Disadvantages of Honeypots  Narrow Field of View The greatest disadvantage of honeypots is that they only see what activity is directed against them. But if an attacker breaks into your real network and attacks a variety of systems, your honeypot will be unaware of the activity unless it is attacked directly. That’s to say, if the attackers had identified the honeypot for what it is, they can now avoid that system, with the honeypot never knowing. As noted earlier, honeypots are designed to be attacked, but if not they lose their value.  Fingerprinting Fingerprinting is when an attacker can identify the true identity of the honeypot because of its characteristics or behaviors. If a blackhat identifies an organization using a honeypot on its internal networks, he could spoof the identity of other production systems and attack the honeypot. The honeypot would detect these spoofed attacks, and falsely alert administrators that a production system was attacking it, sending the organization on a wild goose chase.
    • 7 Honeypot www.ZIANEBilal.com Meanwhile, in the midst of all the confusion, an attacker could focus on real attacks. Fingerprinting is an even greater risk for research honeypots. A system designed to gain intelligence can be devastated if detected. An attacker can feed bad information to a research honeypot as opposed to avoiding detection. This bad information would then lead the security community to make incorrect conclusions about the blackhat community. This is not to say all honeypots must avoid detection. Some organizations might want to scare away or confuse attackers. Once a honeypot is attacked, it can identify itself and then warn off the attacker in hopes of scaring him off. However, in most situations organizations do not want honeypots to be detected.  Risk Honeypots can introduce risk to the environment. Once the honeypot is attacked, it can be used to attack, infiltrate, or harm other systems or organizations. The simpler the honeypot is, the less the risk. Some introduce very little risk and difficult to compromise, while others give the attacker entire platforms from which to launch passive or active attacks against other systems. Because of their disadvantages, honeypots cannot replace other security mechanisms such as firewalls and intrusion detection systems. Rather, they add value by working with existing security mechanisms. They play a part in your overall defenses.
    • 8 Honeynets www.ZIANEBilal.com Honeynets 1. How Honeynets Work Honeynet is a physical network of multiple systems, with the same principal of a honeypot, But not only in a single system. Anything sent to the Honeynet is suspect, potentially a probe, scan, or even an attack. Anything sent from a Honeynet implies that it has been compromised— an attacker or tool is launching activity. Honeynets are an architecture that builds a highly controlled network, within which you can place any system or application you want. It is this architecture that is your Honeynet. There are three critical elements to a Honeynet architecture: data control, data capture, and data collection. These elements define your Honeynet architecture. Of the three,the first two are the most important and apply to every Honeynet deployment. The third, data collection, only applies to organizations that deploy multiple Honeynets in a distributed environment. Data control is the controlling of the blackhat activity. Once a blackhat takes control of a honeypot within the Honeynet, his activity has to be contained so he cannot harm non-Honeynet systems. Data capture is the capturing of all the activity that occurs within the Honeynet. Data collection is the aggregation of all the data captured by multiple Honeynets. Honeynets are highly flexible: there is no specific way to implement a Honeynet
    • 9 Honeynets www.ZIANEBilal.com solution. However, what is critical is that it meets the data requirements of Honeynet technologies. There are currently two types of Honeynets that can be employed on a network. These are GEN I, or first generation, and GEN II, or second generation. The type of Honeynet that one chooses to use depends on many factors to include availability of resources, types of hackers and attacks that you are trying to detect, and overall experience with the Honeynet methodology. GEN I Honeynets are the simpler methodology to employ. Although they are somewhat limited in their ability for Data Capture and Data Control, highly effective in detecting automated attacks or beginner level attacks against targets of opportunity on the network. Their limitations in Data Control make it possible for a hacker to fingerprint them as a Honeynet. They also offer little to a skilled hacker to attract them to target the Honeynet, since the machines on the Honeynet are normally just default installations of various operating systems. GEN II Honeynets were developed to address the shortcomings inherent with GEN I Honeynets. The primary area that was addressed by GEN II Honeynets is in the area of Data Control. GEN I Honeynets used a firewall to provide Data Control by limiting the number of outbound connections from the Honeynet. This is a very effective method of Data Control; however, it lacks flexibility and allows for the possibility of the hacker fingerprinting the Honeynet. GEN II Honeynets provide data control by examining outbound data and making a determination to block, to pass, or to modify by changing some of the packet contents so as to allow data to appear to pass but rendering it benign. GEN II Honeynets are more complex to deploy and maintain than GEN I Honeynets.
    • 10 Honeynets www.ZIANEBilal.com 2. Virtual Honeynets Virtual Honeynets represent a relatively new field for Honeynets. The concept is to virtually run an entire Honeynet on a single, physical system. The purpose of this is to make Honeynets a cheaper solution that is easier to manage. Instead of investing in large amounts of hardware, all of the hardware requirements are combined onto a single system. Virtual Honeynets do not represent a specific architecture; they can support either GenI or GenII technologies. Instead, virtual Honeynets represent one option for deploying these architectures.
    • 11 HoneyC www.ZIANEBilal.com HoneyC This is an example of a client honeypot that initiates connections to a server, aiming to find malicious servers on a network. It aims to identify malicious web servers by using emulated clients that are able to solicit the type of response from a server that is necessary for analysis of malicious content. Official Website: https://projects.honeynet.org/honeyc/ Honeyd Honeyd is an open source framework for setting up virtual honeypots with different services on one machine, fooling the network fingerprinting tools and simulating real operating systems. Official Website: www.honeyd.org/ Deploying Honeypots with Honeyd: http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with- honeyd/ Honeypot/honeyd getting started: http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/ Honeyd – A low involvement Honeypot in Action http://security.rbaumann.net/download/honeyd.pdf
    • 12 Honeywall www.ZIANEBilal.com Honeywall Honeywall Bootable CD-ROM that comes with a set of tools and functionalities, for implementing a GenII data capture, control and analysis features. Install and configure Honeywall: http://doc.emergingthreats.net/pub/Main/HoneywallSamples/InstallAndConfigureHo neywall.pdf DTK Deception Toolkit was the first Open Source honeypot released in 1997. It is a collection of Perl scripts and C source code that emulates a variety of listening services. Its primary purpose is to deceive human attackers. The Deception Toolkit Home Page: http://all.net/dtk/index.html Honeytrap This is a low-interactive honeypot developed to observe attacks against network services. It helps administrators to collect information regarding known or unknown network-based attacks. Official Website: http://honeytrap.carnivore.it/
    • 13 Resources: www.ZIANEBilal.com Resources: Honeypots, Tracking Hackers: http://www.tracking-hackers.com/papers/ Les HoneyPots par François ROPERT : http://www.authsecu.com/honeypots- honeynet/honeypots-honeynet.php#Les_menaces CERT AdvisoryCA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight DirectoryAccess Protocol (LDAP) http://www.cert.org/advisories/CA-2001-18.html Honeypots - Tracking Hackers By Lance Spitzner. ISBN: 0-321-10895-7. Honeypots for Windows by Roger A.Grimes. ISBN: 1590593359. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. by Niels Provos; Thorsten Holz. ISBN: 0-321-33632-1. White Paper: Honeypots by Reto Baumann (http://www.rbaumann.net) and Christian Plattner (http://www.christianplattner.net). Know Your Enemy, Honeynets: http://www.symantec.com/connect/articles/know- your-enemy-honeynets Virtual Honeynet, Deploying Honeywall using VMware: http://www.honeynet.pk/honeywall/roo/index.htm
    • 14 Resources: www.ZIANEBilal.com Table of Contents Honeypot...........................................................................................................................................1 1. Definitions of Honeypots..........................................................................................................1 2. Types of Honeypots .................................................................................................................3  Production/Research Honeypots: .........................................................................................3  Low/High Interactivity:.........................................................................................................3  Hybrid honeypots: ...............................................................................................................4 3. Advantages of Honeypots ........................................................................................................4  Simplicity and high flexibility ................................................................................................4  Data Value...........................................................................................................................5  Minimal resources ...............................................................................................................5  Capture the new tools and attacks ........................................................................................6  Return on Investment ..........................................................................................................6 4. Disadvantages of Honeypots ....................................................................................................6  Narrow Field of View............................................................................................................6  Fingerprinting......................................................................................................................6  Risk.....................................................................................................................................7 Honeynets..........................................................................................................................................8 1. How Honeynets Work ..............................................................................................................8 2. Virtual Honeynets.................................................................................................................. 10 HoneyC ............................................................................................................................................ 11 Honeyd ............................................................................................................................................ 11 Honeywall ........................................................................................................................................ 12 DTK.................................................................................................................................................. 12 Honeytrap........................................................................................................................................ 12 Resources: ....................................................................................................................................... 13