Download to read offline
ForensicHP
- 1. Honeypot Research andDecison Presented by John Tran and Poh Duong
- 2. Tools and methodsProduction honeypots HoneyD BackOfficier Friendly Bubblegum Decoy server Specter Smoke detector Research honeypots Bait n switch Sebek Honeywall Sombria
- 3. Risk Low-interaction Honeypotsa lot of them do nothing to secure the host system itself Insecure Windows can mean the Honeypot can be compromised Once compromised, it can be used to roam the network looking for confidential information or even modify the data found on the systems
- 4. Collecting evidence Specter Able to leave hidden marks on an intruders computer KFSensor and BackOfficer Friendly Able to provide details on what ports the intruder entered in and the intruder’s computer details All these small things can be used as evidence in a court of law
- 5. Benefits/disadvantages of thesetools Advantages Data Value - Collect little data of high value Resources – Generally has no resource exhaustion problems as it doesn’t have to capture a lot of activity Simplicity – No fancy algorithm to develop, no signature databases to maintain, no rule base to misconfigure Return on Investment – Honeypots are able to demonstrate their value whenever they are attacked Disadvantages Narrow field of view – honeypots only see the activities that are directed at them Fingerprinting – When an attacker can identify a honeypot by certain characteristics or behaviors Risk – Once the honeypot is attacked it can be used to attack or infiltrate other systems
- 6. Recommendation Specter Low-interactionhoneypot Able to emulate 11 common servers Able to put evidence on attackers computers Comprehensive log analyzer Can help determine if its an inside attack No false alerts no legitimate user will ever connect to the honeypot Information about the identity of the attacker can be collected