ForensicHP
Upcoming SlideShare
Loading in...5
×
 

ForensicHP

on

  • 506 views

Oral Presentation

Oral Presentation

Statistics

Views

Total Views
506
Views on SlideShare
506
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

ForensicHP ForensicHP Presentation Transcript

  • Honeypot Research and Decison Presented by John Tran and Poh Duong
  • Tools and methods
    • Production honeypots
      • HoneyD
      • BackOfficier Friendly
      • Bubblegum
      • Decoy server
      • Specter
      • Smoke detector
    • Research honeypots
      • Bait n switch
      • Sebek
      • Honeywall
      • Sombria
  • Risk
    • Low-interaction Honeypots a lot of them do nothing to secure the host system itself
    • Insecure Windows can mean the Honeypot can be compromised
    • Once compromised, it can be used to roam the network looking for confidential information or even modify the data found on the systems
  • Collecting evidence
    • Specter
    • Able to leave hidden marks on an intruders computer
    • KFSensor and BackOfficer Friendly
    • Able to provide details on what ports the intruder entered in and the intruder’s computer details
    • All these small things can be used as evidence in a court of law
  • Benefits/disadvantages of these tools
    • Advantages
      • Data Value - Collect little data of high value
      • Resources – Generally has no resource exhaustion problems as it doesn’t have to capture a lot of activity
      • Simplicity – No fancy algorithm to develop, no signature databases to maintain, no rule base to misconfigure
      • Return on Investment – Honeypots are able to demonstrate their value whenever they are attacked
    • Disadvantages
      • Narrow field of view – honeypots only see the activities that are directed at them
      • Fingerprinting – When an attacker can identify a honeypot by certain characteristics or behaviors
      • Risk – Once the honeypot is attacked it can be used to attack or infiltrate other systems
  • Recommendation
    • Specter
    • Low-interaction honeypot
    • Able to emulate 11 common servers
    • Able to put evidence on attackers computers
    • Comprehensive log analyzer
      • Can help determine if its an inside attack
    • No false alerts
      • no legitimate user will ever connect to the honeypot
    • Information about the identity of the attacker can be collected