Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. An Introduction to Honeypots J. Scott Christianson
  2. 2. J. Scott Christianson <ul><li>Experience/Education </li></ul><ul><ul><li>Worked for a consortium of schools for eight years </li></ul></ul><ul><ul><li>Own and operate Kaleidoscope Consulting </li></ul></ul><ul><ul><li>Firewall Installation </li></ul></ul><ul><ul><li>Network Design </li></ul></ul><ul><ul><li>M.A., Educational Technology, The George Washington University. </li></ul></ul><ul><li>Certifications </li></ul><ul><ul><li>CISSP </li></ul></ul><ul><ul><li>SANS GIAC </li></ul></ul><ul><ul><li>MCSE </li></ul></ul><ul><ul><li>Cisco CNA 1.0, 2.0 </li></ul></ul><ul><ul><li>CVE </li></ul></ul><ul><ul><li>NACSE Senior Network Specialist </li></ul></ul><ul><ul><li>Sonicwall SCSA </li></ul></ul><ul><ul><li>Network +, etc. </li></ul></ul>
  3. 3. Today’s Session <ul><li>What is a Honeypot? </li></ul><ul><li>Types of Honeypots </li></ul><ul><li>Honeypot Deployment </li></ul><ul><li>Demonstration </li></ul><ul><li>Legal Issues </li></ul><ul><li>Resources </li></ul>
  4. 4. Honeypot Defined <ul><li>“ A honeypot is a resource whose value is in being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.” </li></ul><ul><li>--Lance Spitzner </li></ul>“Intrusion Deception Systems”
  5. 5. Honeypot Uses <ul><li>Research </li></ul><ul><ul><li>Discover new attacks </li></ul></ul><ul><ul><li>Understand the blackhat community and their attacks </li></ul></ul><ul><ul><li>Build some better defenses against security threats </li></ul></ul><ul><li>Production </li></ul><ul><ul><li>Distraction </li></ul></ul><ul><ul><li>Detect internal threats: “Policy/Law Enforcement” </li></ul></ul><ul><ul><li>Security Assessment (Constantly monitors the average security provided by the network) </li></ul></ul>
  6. 6. Honeypots Characteristics <ul><li>Since Honeypots are not normally used by the organization, they will only be accessed by “intruders” </li></ul><ul><li>Honeypots collect very little data, and what they do collect is normally of high value. </li></ul><ul><li>Honeypots all share one huge drawback; they are worthless if no one attacks them </li></ul><ul><li>Honeypots can introduce risk to your environment. </li></ul>
  7. 7. Types of Honeypots <ul><li>Honeypots are classified by the degree an attacker can interact with the operating system </li></ul><ul><ul><li>The more an attacker can interact with a honeypot, the more information we can potentially gain from it, however the more risk it most likely has. </li></ul></ul><ul><li>Types </li></ul><ul><ul><li>Low-Involvement Honeypot </li></ul></ul><ul><ul><li>Mid-Involvement Honeypot </li></ul></ul><ul><ul><li>High-Involvement Honeypot </li></ul></ul>
  8. 8. Honeypot Deployment <ul><li>A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, etc). </li></ul><ul><li>A honeypot can be an unpatched server. For example, a IIS server with the default install. </li></ul><ul><ul><li>Use firewall to protect the outside world </li></ul></ul><ul><ul><li>Hogwash (Snort based IP scrubber) http://hogwash.sourceforge.net/ </li></ul></ul>
  9. 9. <ul><li>Low/Mid Interaction Honeypot </li></ul><ul><li>Runs on Microsoft OSs </li></ul><ul><li>Specter can emulate one of 13 different operating systems. </li></ul><ul><li>As of Version 6.02, the IP stack is not emulated so IP fingerprinting tools are not fooled. </li></ul><ul><li>Custom fake password files and custom HTTP content. </li></ul><ul><li>Pricing: full version $899, Lite $599 </li></ul><ul><li>www.specter.com </li></ul>
  10. 10. Virtual Honeypots <ul><li>VMware ($299 from vmware.com) </li></ul><ul><li>Host Operating Systems is Hardened </li></ul><ul><li>Guest Operating Systems are the Honeypots (unpatched OSs) </li></ul>
  11. 11. Honeynets <ul><li>http://project. honeynet .org </li></ul><ul><li>An extension of a Honeypot </li></ul><ul><li>Network topology provides many advantages over standard honeypot </li></ul><ul><ul><li>Covert logging </li></ul></ul><ul><ul><li>More points of attack for a blackhatter </li></ul></ul><ul><ul><li>Looks realistic from the outside </li></ul></ul>
  12. 12. Issues Raised: Privacy <ul><li>Electronic Communication Privacy Act (18 USC 2701-11) </li></ul><ul><li>Federal Wiretap Statute (Title III, 18 USC 2510-22) </li></ul><ul><li>The Pen/Trap Statute (18 USC § 3121-27) </li></ul>
  13. 13. Issues Raised: Entrapment <ul><li>Used only by defendant to avoid conviction </li></ul><ul><li>Cannot be held criminally liable for ‘entrapment’ </li></ul><ul><li>Applies only to law enforcement </li></ul><ul><li>Even then, most legal authorities consider Honeynets non-entrapment </li></ul>
  14. 14. Issues Raised: Liability <ul><li>You may be liable if your Honeynet system is used to attack or damage other non-Honeynet systems. </li></ul><ul><ul><li>Decided at state level, not federal </li></ul></ul><ul><ul><li>Civil issue, not criminal </li></ul></ul>
  15. 15. Resources http://www.spitzner.net/