Overview Historical aspect Evolution of Honey Pots Concept Of Honey P0ts Why we use Honey Pots. Definition of Honey Pots Types of Honey Pots Working of Honey Pots(using Snort) Level of Interaction Some of Honey Pots Tools Advantages Disvantages Todays Honey Pots Future Honey Pots Any Queries
Historical aspect 1990/1991 The Cuckoo’s Egg and Evening with Berferd 1997 - Deception Toolkit 1998 - CyberCop Sting 1998 - NetFacade (and Snort) 1998 - BackOfficer Friendly 1999 - Formation of the Honeynet Project 2001 - Worms captured 2002 - dtspcd exploit capture
Evolution of Honey Pots Firewalls Early 90’s Must have – deployed before anything else Intrusion Detection System (IDS) Mid to late 90’s We can’t guard everything, so let’s watch the network for suspicious traffic Honeypots Early 2000 Not only do we want to know when the black hats are attacking, but also answer the question, Why? Let’s learn rather than just react
Concept of Honeypots A security resource who’s value lies in being probed, attacked or compromised Has no production value; anything going to from a honeypot is likely a probe, attack or compromise Used for monitoring, detecting and analyzing attacks A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.(Sorce:-Tracking-Hackers Paper)
Why we Use Honey Pots? An additional layer of security Its is different security from Firewall. Firewall only work upon system security. This security work on the Network Layer.
Honeypots• A server that is configured to detect an intruder by mirroring a real production system.• It appears as an ordinary server doing work, but all the data and transactions are phony.• Located either in or outside the firewall, the honeypot is used to learn about an intruders techniques as well as determine vulnerabilities in the real system.• Set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Types of Honeypots• Generally speaking there are two . different types of Honeypots: Production Honeypots and Research Honeypots• Production Honeypots are used primarily by companies or corporations to improve their overall state of security.• Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats.
Working of Honey Pots(using Snort) Snort Description Open Source Network Intrusion Prevention and Detection System. It uses a rule-based language combining signature, protocol and anomaly inspection methods. the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry. Only Snort is working on Windows environment System.
Working of Snort(IDS) IDS Invisible SNORT Monitor Promiscuous mode Two SNORT SessionsSession 1 Signature Analysis MonitoringSession 2 Packet Capture DATA CAPTURE
Practical Snort Working• PLZ see the which included with it.
Level of Interaction• Level of Interaction determines amount of functionality a honeypot provides.• The greater the interaction, the more you can learn.• The greater the interaction, the more complexity and risk.• Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations
Low Interaction• Provide Emulated Services• No operating system for attacker to access.• Information limited to transactional information and attackers activities with emulated services• Some of low interaction tools are Honeyed ,spector.
High Interaction• Provide Actual Operating Systems• Learn extensive amounts of information.• Extensive risk.• Some of high level tools are Honeynets.• Honeynets is a kind of HoneyPot project which are developing and testing stage.
Some of Honey Pots Tools• BackOfficer Friendly – http://www.nfr.com/products/bof/ Low Interaction• SPECTER – http://www.specter.com• Honeyd – http://www.citi.umich.edu/u/provos/honeyd/• ManTrap – http://www.recourse.com• Honeynets – http://project.honeynet.org/papers/honeynet/ High Interaction
Advantages● Fidelity – Information of high value• Encryption or IPv6• New tools and tactics• Simple concept• Not resource intensive• Return on Investment
Disadvantages● Labor/skill intensive● Risk● Limited field of view● Does not protect vulnerable systems
Todays honeypots• Military, government organizations, security companies applying the technologies• Primarily to identify threats and learn more about them• Commercial application increasing everyday
Future of Honey Pots• Honeypots are now where firewalls were eight years ago• Beginning of the “hype curve”5• Enhanced policy enforcement capabilities• Advance development in Open Source solutions• Integrated firewall/IDS/honeypot appliances
Any QueriesResources:-Honeypots: Tracking Hackers http://www.tracking-hackers.com