It tells about honeypots used for data collection

1. Honeypots, bots
and Incidence
Response

2. What is Honeypot?
2
Betty Pack aka Amy Elizabeth : Honeypot
for MI 6
From the world of espionage
It is using a romantic relationship, like
Mata Hari-style spies, as a way to
steal secrets and are described as
setting a ‘honey trap’ or ‘honeypot’.
Often, a person is compromised by a
honey trap and then forced to hand
over everything he/she knows.

3. What is Honeytraps?
3

4. What is Honeypot?
4
From the computer Security World
A decoy system/ sacrificial computer system which
attracts attackers to gather information about their
actions. Baiting a trap for hackers.
Mimics a target for hackers, and uses their intrusion
attempts to gain information about cybercriminals and
the way they are operating or to distract them from
other targets.
As a monitoring system, it is used to identify potential
attacks, threats, vulnerabilities, techniques, and tools.

5. 5
PHYSICAL ARENA
(RESIDENT AGENTS)
Increased Role of Front Offices
Reduced Physical Contact after recruitment
Information passed online to Reduce Risk
Honey Traps
VIRTUAL ARENA
Dating Sites : Location for Talent Spotting
Social Media : A Recruiting Zone
VoIP Calls : Tool for Eliciting Information
E-mails : To Infect Computers
E Banking : For Virtual Remuneration
THREAT VECTORS
Social Media Messenger Service SIM Boxs E-Mails
FaceBook, Tinder,
Instagram
Whatsapp, Facebook-
Messenger
VoIP Calls Infect Computers
(Q-Whisper/ Trust-X/ OTR.To)
& steal info
Changing face of espionage

6. What is Honeynet?
6
Network of high interaction
honeypots
An architecture and not a
product
Provides real systems,
applications and services for
attackers to interact with.
Source : www.honeynet.org

7. A simplified illustrative example of a network containing a honeynet. 7

8. What Honeypot Do?
8
•Assess the latest trends in attacks
•Understand where cyber attacks arise, and
•Better frame security policies to mitigate future risks.

9. Categories of Honeypots
2

10. 10
Classification
By Implementation
By Purpose
By level of interaction

11. By Level of Interaction
Low Level Interaction
Simulated systems that
limits activities to be
performed
Does not allow the
capturing or
identification of new
exploits such as zero-
day attacks
Can be detected easily
by advanced or skilled
attackers.
Middle Level Interaction
provide more services
than low-interaction but
lesser services than
high-interaction systems
High Level Interaction
Provide enough services for
attackers to exploit
compared to low-interaction
honeypots
Not emulated systems like
low-interaction honey-pots.
Challenge is that these
systems can be used to
exploit other systems in the
network.
11

12. Research
High-interaction honeypot
Used for research the threats to
org & can be used to caution and
forecast future attacks and
exploits
Captures extensive information
Complex to deploy and maintain 12
Production
Low Interaction
Mitigates risks to org
Captures limited information
Simple to use

13. Implementation
Physical
Physical Machines
IP Address
High Interactive
High Maintenance Cost
Virtual
Virtual.
May simulate more
virtual honeypots at the
same time
e.g. Honeyd
Low Cost
13

14. How Honeypots Works?
Looks like a real computer system, with applications and data, fooling
cybercriminals into thinking it's a legitimate target.
Made attractive to attackers by building in deliberate security vulnerabilities. For
instance, a honeypot might have ports that respond to a port scan or weak
passwords.
14

15. Different Types used to identify
different types of threats
⬢ Email Honeypots
⬢ Decoy Database Honeypots
⬢ Malware Honeypots
⬢ Spider Honeypots
15

16. Benefits
• Distracts cybercriminals from targeting legitimate systems.
• Gives greater visibility of attacks as they’re happening.
• Monitors an attacker’s behaviors and detect zero-day
vulnerabilities.
• Puts the organization’s incident response capabilities to the test.
• Helps to improve your organization’s overall security
16
What Is a Honeypot in Network Security? Definition, Types & Uses - InfoSec Insights
(sectigostore.com)

17. Framework for response
⬢ The framework designed should comply with ISO/IEC 27043 and aimed
at detecting security incidents and collecting potential digital evidence
using honeypot technology.
⬢ Should be also aimed at minimizing digital forensic investigation
cost, maximizing the potential use of digital evidence gathered,
preserving, and improving information security
⬢ Should enhance the existing forensic readiness procedures for
devices as well as also enables the introduction of new forensic
technologies by organizations when adopted.
17

18. ISO/IEC 27043:2015
Information Technology : Security Techniques – Incident
Investigation Principles & Processes
⬢ Last reviewed and confirmed in 2020
⬢ Provides guidelines based on idealised models for common
incident investigatio rpocess across various incident investigation
scenarios involving digital evidence
⬢ Also describes processes and principles applicable to various
kinds of investigation including unauthorised access, data
corruption, system crash etc
18

19. 19
A digital forensic readiness framework must for security threats and
challenges.
Implementation of such framework significantly improve information
security and provide reliable digital evidence for forensic investigation.
The framework must incorporate High and low interaction honeypots to
detect security incidents and collect digital evidence.
The framework should enable organizations to embed digital forensic
readiness.
Should be cost effective but also provide a trusted platform for
employees in the organization.
Digital Forensic Framework

20. Recommended Honeypots
and Honeynets
Low : Dionaea, HoneyDroid, Cowrie, Glastopf, BOF, DTK,
HoneyBot, GHH, Thug
High : Argos, Sebek, HoneySpider
2

21. Argos
21
Argos is a full and secure system emulator designed for
use in honeypots. It is based on Qemu, an open source
emulator that uses dynamic translation to achieve a fairly
good emulation speed.