Introduction to Honeypots

652 views

Published on

Edgis Sharing Session – Introduction to Honeypots
at Whitehat Society, Singapore Management University
September 2012

at Computing Society, Royal Holloway, University of London
February 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
652
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Introduction to Honeypots

  1. 1. EmilTan Team Lead, Co-Founder http://edgis-security.org @EdgisSecurity Research Guide http://honeynet.sg Introduction to Honeypots
  2. 2. The Honeynet Project. The Honeynet Project is a leading international 501c3 non-profit security research organisation, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. Founded in 1999,The Honeynet Project has contributed to fight against malware and malicious hacking attacks and has the leading security professional among members and alumni.  Website: http://www.honeynet.org/ http://www.honeynet.sg
  3. 3. Agenda.  What is honeypot.  What types of honeypot are there.  Introduction to honeypot tools.  How to deploy them.  Deployment considerations.  Operational considerations.  Governance considerations.  Legal considerations.
  4. 4. What is honeypot.  Information system resources which has no production values.  It values lies in unauthorised or illicit use of that resource.  It values lies in being probed, attacked, or compromised. -- Spitzner  Intelligence gathering  Analyse trends / behaviours; Know your enemy.  Decoy / Bait
  5. 5. Types of honeypot.  High interaction:  An actual machine.  Rich content; Fully emulated shells; Fully replicated services.  Low interaction:  A program.  Emulate specific services; limited interactivities.  Honeytoken  Hybrid
  6. 6. Honeypot tools.  High interaction:  De facto security tools (NIDS, HIDS, etc)  In-depth Data Capture tools (Sebek, Qebek, Capture-HPC).  EgressTraffic Control (Snort Inline, iptables)  Perimeter – Honeywall (Roo)  WebApplication – Glastopf  SSL Proxy &Traffic Analyser – HoneyProxy  USB Malware – Ghost USB  Low interactions:  De facto low interaction – Honeyd  Common ports –Tiny Honeypot  Malware – Dionaea (… Honeytrap?)  WebApplication – Glastopf  USB Malware – Ghost USB  SSH – Kippo, Kojoney  Blacklisting – Honeyports
  7. 7. Kojoney.  Low interaction SSH honeypot.  Emulate SSH service.
  8. 8. Kojoney Logs.
  9. 9. Kojoney Reports.
  10. 10. Tiny Honeypot.  Written by George Bakos  Alpinista.org  Low interaction honeypot.  Based on iptables and xinetd listener.  Emulate well-known services:  HTTP  FTP
  11. 11. Honeytrap.  Written byTillmannWerner.  Low interaction Malware collection honeypot.  Dynamic reaction to incoming traffics:  Pcap-based sniffer  IP_Queue interface
  12. 12. Deployment & Considerations.  More Considerations  Roles and Responsibilities Deployment Considerations High or low interaction What do you want from your honeypots? Honeypot tools What do you want from your honeypots? Placed in internal or external networks What do you want from your honeypots? Configuration of your honeypots. Physical or virtual environment Costs & Maintenance Dynamics / Programmability Nature of the dynamics Level of vulnerability What do you want from your honeypots? Legal considerations

×