1. Use of Honey-pots to Detect
Exploited Systems Across Large
Enterprise Networks
2. Overview
• Motivation
• What are Honeypots?
– Gen I and Gen II
• The GeorgiaTech Honeynet System
– Hardware/Software
– IDS
– Logging and review
• Some detected Exploitations
– Worm exploits
– Sage of the Warez Exploit
• Words of Wisdom
• Conclusions
6. Properties
• Captures all inbound/outbound data
• Standard production systems
• Intended to be compromised
• Data Capture
– Stealth capturing
– Storage location – away from the honeynet
• Data control
– Protect the network from honeynets
7. Two types
Gen I Gen II
Good for simpler attacks
Unsophisticated targets
Limited Data Control
Sophisticated Data Control :
Stealth Fire-walling
Gen I chosen
8.
9. GATech Honeynet System
Huge network
4 TB data processing/day
CONFIG Sub-standard systems
Open Source Software
Simple Firewall Data
Control
14. Honey Net traffic is Suspicious
Heuristic for worm detection:
Frequent port scans
Specific OS-vulnerability monitoring possible
Captured traffic helps signature development
DETECTING WORM EXPLOITS
15. SAGA of the WAREZ Hacker
Helped locate a compromised host
Honeynet
IIS Exploit Warez Server
+ Backdoor
Very difficult to detect
otherwise !
16. Words of Wisdom
• Start small
• Good relationships help
• Focus on Internal attacks
• Don’t advertise
• Be prepared to spend time
17. Conclusion
• Helped locate compromised systems
• Can boost IDS research
– Data capture
• Distributed Honey nets ?
• Hunting down Honeypots
– http://www.send-safe.com/honeypot-hunter.php
18. Discussion
• The usefulness of the extra layer ?
• Dynamic HoneyNets
• Comparison with IDS: are these a
replacement or complementary ?
HONEY
NET
IDS
19. IDS vs HoneyNet
• IDS – primary function is detection and
alerting
• Honeynets – use IDS to detect and alert
– but nothing is done to control the
threat
– Primary intent is to log and capture effects
and activities of the threat
Honeynets do not protect the network – they
have protection as a benefit, not intent