Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Published in: Technology


  1. 1. 1
  2. 2. What Is a Honeypot? Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.” 2
  3. 3. 3
  4. 4. Basic Honeypot design 4 4
  5. 5. Technalities Research-  Learning the tools and methods Black-hats use, help IT security experts protect systems from future attacks. Protection-  May lure attackers away from the real production systems. Detection-  there shouldn’t be any network traffic on a honeypot. All network traffic is considered  hostile. Evidence-  once an attacker is identified, all evidence can be used legally. 5
  6. 6. Benefit of Deploying Honeypots Attack analysis:  Find out reasons, and strategies why and how you are attacked.  Binary and behavior analysis of capture malicious code Evidence:  Once the attacker is identified, all data captured may be used in a legal procedure. Increased knowledge 6
  7. 7. Benefit of Deploying Honeypots Risk mitigation:  Lure an attacker away from the real production systems (“easy target“). IDS-like functionality:  Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. 7
  8. 8. Categories of Honeypots....Production honeypots: •Easy to deploy and maintain •Inexpensive •Captures limited information •Used primarily by companies or corporationsResearch honeypots: •Very complex to deploy and maintain •Expensive •Captures extensive information -methods -keystrokes -tools -conversations •Used primarily by research, military, and government organizations 8
  9. 9. Characteristics of aHoneypot... •Decoy system- poses as a legit system offering services over the internet. •Security Vulnerabilities- exposes security vulnerabilities to attract an attacker. •Closely monitored- Closely monitored by an expert to study the methods of how black-hats, probe, exploit, and compromise systems. •Deceptive- Looks and behaves just as any normal system would. •Well Designed- A well designed honeypot means the black-hat never knew he was being watched. 9
  10. 10. Classifications.....Low-interaction honeypot: •Only part of applications and OS are emulated by software •No “real” interaction •Easy to deploy and maintain •Limited logging •Can be easily detected by skilled hackersHigh-interaction honeypot: •Full access to OS •Captures substantial amount of information (actions, tools, behavior, origin, identity, etc.) •Extremely complex, time consuming, expensive •Very high level of risk 10
  11. 11. Low Interaction Honeypot.. -Emulates certain services, applications -Identify hostile IP -Protect internet side of network -Low risk and easy to deploy/ maintain, but capture limited information. 11
  12. 12. High Interaction Honeypot... -Real services, applications, and OS’s -Capture extensive information but high risk and time intensive to maintain -Internal network protection 12
  13. 13. Comparison..... Low-interaction High-interaction Solution emulates operating No emulation, real operatingsystems services. systems and services are provided.Easy to install and deploy. Usually Can be complex to install orrequires simply installing and deploy (commercial versions tendconfiguring software on a to be much simpler).computer.Minimal risk, as the emulated Increased risk, as attackers areservices control what attackers provided real operating systemscan and cannot do. to interact withCaptures limited amounts of Can capture far moreinformation, mainly transactional information, including new tools,data and some limited interaction. communications, or attacker keystrokes. 13
  14. 14. 14
  15. 15. 15
  16. 16. 16
  17. 17. Advantages.....Small data sets of high value- Honeypots collect small amounts of information. Instead of logging a one GB of dataa day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, theycan generate only 10 alerts a day.New tools and tactics- Honeypots are designed to capture anything thrown at them, including tools ortactics never seen beforeMinimal resources- Honeypots require minimal resources, they only capture bad activity. This means anold Pentium computer with 128MB of RAM can easily handle an entire class B network sitting offan OC-12 networkEncryption or IPv6- Unlike most security technologies (such as IDS systems) honeypots work fine inencrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot,the honeypot will detect and capture it.Information- Honeypots can collect in-depth information that few, if any other technologies canmatch.Simplicity- Finally, honeypots are conceptually very simple. There are no fancy algorithms todevelop, state tables to maintain, or signatures to updateProtection- Honeypot can help protect an organization is in response.Attack prevention- One way that honeypots can help defend against such attacks is slowing theirscanning down, potentially even stopping them. This is excellent for slowing down or preventingthe spread of a worm that has penetrated your in pc 17
  18. 18. Disadvantages....•Limited view- Only captures activity from that system and not other systems on the network.•High risk- Could be used as has a jump off to attack other systems.•Labor / Skill intensive- Requires a lot of time to deploy, maintain, and analyze.•Legal issues- If you used to attack another system it could put an entire company or organization in jeopardy. 18
  19. 19. Conclusion!!!! 19
  20. 20. 20