Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
An Introduction to Honeypots J. Scott Christianson
J. Scott Christianson <ul><li>Experience/Education </li></ul><ul><ul><li>Worked for a consortium of schools for eight year...
Today’s Session <ul><li>What is a Honeypot? </li></ul><ul><li>Types of Honeypots </li></ul><ul><li>Honeypot Deployment </l...
Honeypot Defined <ul><li>“ A honeypot is a resource whose value  is in being attacked or compromised. This means that a ho...
Honeypot Uses <ul><li>Research </li></ul><ul><ul><li>Discover new attacks </li></ul></ul><ul><ul><li>Understand the blackh...
Honeypots Characteristics <ul><li>Since Honeypots are not normally used by the organization, they will only be accessed by...
Types of Honeypots <ul><li>Honeypots are classified by the degree an attacker can interact with the operating system </li>...
Honeypot Deployment <ul><li>A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, ...
<ul><li>Low/Mid Interaction Honeypot </li></ul><ul><li>Runs on Microsoft OSs </li></ul><ul><li>Specter can emulate one of ...
Virtual Honeypots <ul><li>VMware ($299 from vmware.com) </li></ul><ul><li>Host Operating Systems is Hardened </li></ul><ul...
Honeynets <ul><li>http://project. honeynet .org </li></ul><ul><li>An extension of a Honeypot </li></ul><ul><li>Network top...
Issues Raised: Privacy <ul><li>Electronic Communication Privacy Act (18 USC 2701-11)  </li></ul><ul><li>Federal Wiretap St...
Issues Raised: Entrapment <ul><li>Used only by defendant to avoid conviction </li></ul><ul><li>Cannot be held criminally l...
Issues Raised: Liability <ul><li>You may be liable if your Honeynet system is used to attack or damage other non-Honeynet ...
Resources http://www.spitzner.net/
Upcoming SlideShare
Loading in …5
×

Honeypots

14,799 views

Published on

Published in: Technology
  • Be the first to comment

Honeypots

  1. 1. An Introduction to Honeypots J. Scott Christianson
  2. 2. J. Scott Christianson <ul><li>Experience/Education </li></ul><ul><ul><li>Worked for a consortium of schools for eight years </li></ul></ul><ul><ul><li>Own and operate Kaleidoscope Consulting </li></ul></ul><ul><ul><li>Firewall Installation </li></ul></ul><ul><ul><li>Network Design </li></ul></ul><ul><ul><li>M.A., Educational Technology, The George Washington University. </li></ul></ul><ul><li>Certifications </li></ul><ul><ul><li>CISSP </li></ul></ul><ul><ul><li>SANS GIAC </li></ul></ul><ul><ul><li>MCSE </li></ul></ul><ul><ul><li>Cisco CNA 1.0, 2.0 </li></ul></ul><ul><ul><li>CVE </li></ul></ul><ul><ul><li>NACSE Senior Network Specialist </li></ul></ul><ul><ul><li>Sonicwall SCSA </li></ul></ul><ul><ul><li>Network +, etc. </li></ul></ul>
  3. 3. Today’s Session <ul><li>What is a Honeypot? </li></ul><ul><li>Types of Honeypots </li></ul><ul><li>Honeypot Deployment </li></ul><ul><li>Demonstration </li></ul><ul><li>Legal Issues </li></ul><ul><li>Resources </li></ul>
  4. 4. Honeypot Defined <ul><li>“ A honeypot is a resource whose value is in being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.” </li></ul><ul><li>--Lance Spitzner </li></ul>“Intrusion Deception Systems”
  5. 5. Honeypot Uses <ul><li>Research </li></ul><ul><ul><li>Discover new attacks </li></ul></ul><ul><ul><li>Understand the blackhat community and their attacks </li></ul></ul><ul><ul><li>Build some better defenses against security threats </li></ul></ul><ul><li>Production </li></ul><ul><ul><li>Distraction </li></ul></ul><ul><ul><li>Detect internal threats: “Policy/Law Enforcement” </li></ul></ul><ul><ul><li>Security Assessment (Constantly monitors the average security provided by the network) </li></ul></ul>
  6. 6. Honeypots Characteristics <ul><li>Since Honeypots are not normally used by the organization, they will only be accessed by “intruders” </li></ul><ul><li>Honeypots collect very little data, and what they do collect is normally of high value. </li></ul><ul><li>Honeypots all share one huge drawback; they are worthless if no one attacks them </li></ul><ul><li>Honeypots can introduce risk to your environment. </li></ul>
  7. 7. Types of Honeypots <ul><li>Honeypots are classified by the degree an attacker can interact with the operating system </li></ul><ul><ul><li>The more an attacker can interact with a honeypot, the more information we can potentially gain from it, however the more risk it most likely has. </li></ul></ul><ul><li>Types </li></ul><ul><ul><li>Low-Involvement Honeypot </li></ul></ul><ul><ul><li>Mid-Involvement Honeypot </li></ul></ul><ul><ul><li>High-Involvement Honeypot </li></ul></ul>
  8. 8. Honeypot Deployment <ul><li>A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, etc). </li></ul><ul><li>A honeypot can be an unpatched server. For example, a IIS server with the default install. </li></ul><ul><ul><li>Use firewall to protect the outside world </li></ul></ul><ul><ul><li>Hogwash (Snort based IP scrubber) http://hogwash.sourceforge.net/ </li></ul></ul>
  9. 9. <ul><li>Low/Mid Interaction Honeypot </li></ul><ul><li>Runs on Microsoft OSs </li></ul><ul><li>Specter can emulate one of 13 different operating systems. </li></ul><ul><li>As of Version 6.02, the IP stack is not emulated so IP fingerprinting tools are not fooled. </li></ul><ul><li>Custom fake password files and custom HTTP content. </li></ul><ul><li>Pricing: full version $899, Lite $599 </li></ul><ul><li>www.specter.com </li></ul>
  10. 10. Virtual Honeypots <ul><li>VMware ($299 from vmware.com) </li></ul><ul><li>Host Operating Systems is Hardened </li></ul><ul><li>Guest Operating Systems are the Honeypots (unpatched OSs) </li></ul>
  11. 11. Honeynets <ul><li>http://project. honeynet .org </li></ul><ul><li>An extension of a Honeypot </li></ul><ul><li>Network topology provides many advantages over standard honeypot </li></ul><ul><ul><li>Covert logging </li></ul></ul><ul><ul><li>More points of attack for a blackhatter </li></ul></ul><ul><ul><li>Looks realistic from the outside </li></ul></ul>
  12. 12. Issues Raised: Privacy <ul><li>Electronic Communication Privacy Act (18 USC 2701-11) </li></ul><ul><li>Federal Wiretap Statute (Title III, 18 USC 2510-22) </li></ul><ul><li>The Pen/Trap Statute (18 USC § 3121-27) </li></ul>
  13. 13. Issues Raised: Entrapment <ul><li>Used only by defendant to avoid conviction </li></ul><ul><li>Cannot be held criminally liable for ‘entrapment’ </li></ul><ul><li>Applies only to law enforcement </li></ul><ul><li>Even then, most legal authorities consider Honeynets non-entrapment </li></ul>
  14. 14. Issues Raised: Liability <ul><li>You may be liable if your Honeynet system is used to attack or damage other non-Honeynet systems. </li></ul><ul><ul><li>Decided at state level, not federal </li></ul></ul><ul><ul><li>Civil issue, not criminal </li></ul></ul>
  15. 15. Resources http://www.spitzner.net/

×