An Introduction to Honeypots J. Scott Christianson
J. Scott Christianson
Worked for a consortium of schools for eight years
Own and operate Kaleidoscope Consulting
M.A., Educational Technology, The George Washington University.
Cisco CNA 1.0, 2.0
NACSE Senior Network Specialist
Network +, etc.
What is a Honeypot?
Types of Honeypots
“ A honeypot is a resource whose value is in being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.”
“Intrusion Deception Systems”
Discover new attacks
Understand the blackhat community and their attacks
Build some better defenses against security threats
Detect internal threats: “Policy/Law Enforcement”
Security Assessment (Constantly monitors the average security provided by the network)
Since Honeypots are not normally used by the organization, they will only be accessed by “intruders”
Honeypots collect very little data, and what they do collect is normally of high value.
Honeypots all share one huge drawback; they are worthless if no one attacks them
Honeypots can introduce risk to your environment.
Types of Honeypots
Honeypots are classified by the degree an attacker can interact with the operating system
The more an attacker can interact with a honeypot, the more information we can potentially gain from it, however the more risk it most likely has.
A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, etc).
A honeypot can be an unpatched server. For example, a IIS server with the default install.
Use firewall to protect the outside world
Hogwash (Snort based IP scrubber) http://hogwash.sourceforge.net/
Low/Mid Interaction Honeypot
Runs on Microsoft OSs
Specter can emulate one of 13 different operating systems.
As of Version 6.02, the IP stack is not emulated so IP fingerprinting tools are not fooled.
Custom fake password files and custom HTTP content.
Pricing: full version $899, Lite $599
VMware ($299 from vmware.com)
Host Operating Systems is Hardened
Guest Operating Systems are the Honeypots (unpatched OSs)
http://project. honeynet .org
An extension of a Honeypot
Network topology provides many advantages over standard honeypot
More points of attack for a blackhatter
Looks realistic from the outside
Issues Raised: Privacy
Electronic Communication Privacy Act (18 USC 2701-11)
Federal Wiretap Statute (Title III, 18 USC 2510-22)
The Pen/Trap Statute (18 USC § 3121-27)
Issues Raised: Entrapment
Used only by defendant to avoid conviction
Cannot be held criminally liable for ‘entrapment’
Applies only to law enforcement
Even then, most legal authorities consider Honeynets non-entrapment
Issues Raised: Liability
You may be liable if your Honeynet system is used to attack or damage other non-Honeynet systems.