Honeypots Jayant Kumar Gandhi - www.jkg.in Himanshu Bhatnagar Sachin Gajjar Sameek Banerjee Shashwat Agrawal http://www.jkg.in/eel702/presentation.ppt

Agenda Motivation Definition Advantages/ Disadvantages Types

Motivation

Definition

Advantages/ Disadvantages

Types

Motivation Key to effective intrusion detection is information Learn more about past attacks Detect currently occurring attacks Identify new types of attacks Do all this in real time

Key to effective intrusion detection is information

Learn more about past attacks

Detect currently occurring attacks

Identify new types of attacks

Do all this in real time

Definition “ Any security resource who’s value lies in being probed, attacked, or compromised” – L. Spitzner, Honeypots: Tracking Hackers , ISBN 0-321-10895-7

“ Any security resource who’s value lies in being probed, attacked, or compromised” – L. Spitzner, Honeypots: Tracking Hackers , ISBN 0-321-10895-7

How honeypots work A resource that expects no data, so any traffic to or from it is most likely unauthorized activity

A resource that expects no data, so any traffic to or from it is most likely unauthorized activity

Advantages Reduce false positives and false negatives Data value Resources Simplicity

Reduce false positives and false negatives

Data value

Resources

Simplicity

Disadvantages Narrow Field of View Fingerprinting Risk

Narrow Field of View

Fingerprinting

Risk

Types Production (Law enforcement) Research (Counter-intelligence)

Production (Law enforcement)

Research (Counter-intelligence)

Production Honeypots Prevention Detection Response

Prevention

Detection

Response

Research Honeypots Early warning and prediction Discover new tools and tactics Understanding motives, behavior and organization Develop analysis and forensic skills

Early warning and prediction

Discover new tools and tactics

Understanding motives, behavior and organization

Develop analysis and forensic skills

Level of Interaction Level of interaction determines the amount of functionality a honeypot provides Low Interaction Less learning, complexity and risk High Interaction High learning, complexity and risk

Level of interaction determines the amount of functionality a honeypot provides

Low Interaction

Less learning, complexity and risk

High Interaction

High learning, complexity and risk

Risk Attacker can compromise your honeypot to harm, attack or infiltrate other systems and organizations

Attacker can compromise your honeypot to harm, attack or infiltrate other systems and organizations

Low Interaction Provide emulated services No operating system to access Information limited to transactional information and attackers activities with the emulated services

Provide emulated services

No operating system to access

Information limited to transactional information and attackers activities with the emulated services

High Interaction Provides actual Operating Systems Learn extensive amount of information Extensive risk

Provides actual Operating Systems

Learn extensive amount of information

Extensive risk

Honeyd Low-interaction honeypot Runs on a single computer Simulates a group of virtual machines Simulates the physical network between them Simulates only the network stack of each machine Intended primarily to fool fingerprinting tools

Low-interaction honeypot

Runs on a single computer

Simulates a group of virtual machines

Simulates the physical network between them

Simulates only the network stack of each machine

Intended primarily to fool fingerprinting tools

Honeyd Fingerprinting Attackers often try to learn more about a system before attacking it Can determine a machine’s operating system by “testing” its network behavior How the initial TCP sequence number is created Response packets for open and closed ports Configuration of packet headers Common fingerprinting tools: Nmap, Xprobe

Fingerprinting

Attackers often try to learn more about a system before attacking it

Can determine a machine’s operating system by “testing” its network behavior

How the initial TCP sequence number is created

Response packets for open and closed ports

Configuration of packet headers

Common fingerprinting tools: Nmap, Xprobe

Honeynets High-interaction honeypots Network of real machines (honeypots) Honeywall – a gateway between honeypots and rest of the world

High-interaction honeypots

Network of real machines (honeypots)

Honeywall – a gateway between honeypots and rest of the world

Legal issues Privacy Entrapment Liability

Privacy

Entrapment

Liability

Legal Mumbo Jumbo Design template is Copyright © 2006 Jayant Kumar Gandhi (www.jkg.in) Clip art is Copyright © 2006 Microsoft Corporation All trademarks, registered trademarks are acknowledged and are property of their respective owners

Design template is Copyright © 2006 Jayant Kumar Gandhi (www.jkg.in)

Clip art is Copyright © 2006 Microsoft Corporation

All trademarks, registered trademarks are acknowledged and are property of their respective owners

Bibliography Robert Graham, Network intrusion detection systems, 2000. http://www.robertgraham.com/pubs/network-intrusion-detection.html David Klug, Honeypots and intrusion detection. http://www.sans.org./infosecFAQ/intrusion/honeypots.htm Christian Plattner Reto Baumann, White paper: Honeypots. http://www.rbaumann.net,http://www.christianplattner.net Lance Spitzner, Honeypots: Tracking hackers ISBN: 0-321-10895-7 Lance Spitzner, Intrusion detection, 2000. http://www.enteract.com/lspitz/ids.html Lance Spitzner, Know your enemy: I, ii and iii, 2000 http://www.project.honeynet.org/papers

Robert Graham, Network intrusion detection systems, 2000. http://www.robertgraham.com/pubs/network-intrusion-detection.html

David Klug, Honeypots and intrusion detection. http://www.sans.org./infosecFAQ/intrusion/honeypots.htm

Christian Plattner Reto Baumann, White paper: Honeypots. http://www.rbaumann.net,http://www.christianplattner.net

Lance Spitzner, Honeypots: Tracking hackers ISBN: 0-321-10895-7

Lance Spitzner, Intrusion detection, 2000. http://www.enteract.com/lspitz/ids.html

Lance Spitzner, Know your enemy: I, ii and iii, 2000 http://www.project.honeynet.org/papers

Questions?

http://www.jkg.in/contact-me/ Uploaded on SlideShare.net for the public.