"Honeypot 101"
Computing Society, Royal Holloway, University of London
March, 2015
Abstract: How many times have you come across the term “honeypot” in your lectures and textbooks, or security talks? How much do you know about them? Is “honeypot” a security tool or concept? In this presentation, I’ll walk you through the basics of honeypots, discuss its applications, and demonstrate some honeypots used by researchers.
Azure Monitor & Application Insight to monitor Infrastructure & Application
Honeypot 101 (slide share)
1. Honeypot 101
Emil Tan, Security+, GLEG, RHCSA/RHCT
Team Lead, Edgis
Research Guide, The Honeynet Project (Singapore Chapter)
2. The Honeynet Project
The Honeynet Project is a leading international 501c3 non-profit security
research organisation, dedicated to investigating the latest attacks and
developing open source security tools to improve Internet security.
Founded in 1999, The Honeynet Project has contributed to fight against
malware and malicious hacking attacks and has the leading security
professional among members and alumni.
3. What’s a Honeypot?
Information system resources which has no production values.
Its value lies in unauthorised or illicit use of that resource.
Its value lies in being probed, attacked, or compromised.
Lance Spitzner (@lspitzner)
What can be used as a honeypot? Resources
Hardware (End-points, Servers, Standalone PCs, USB Sticks, etc.)
Software (Services, Files, etc.)
It’s all about the purposes of the honeypot
4. Purposes? Aims? Objectives?
Intelligence Gathering
Trend / Behaviour Analysis
Know Your Enemy (KYE)
Bait / Decoy
Narrow down further depending on who you are
Similar to Incident Reponse – SMEs v. MNCs v. Financial Institutes v. Military
5. High v. Low Interactions
High Interaction Honeypots
It is what it is (The actual thing)
Content Rich; The Actual Shell, Services, etc.
Low Interaction Honeypots
A program
Emulated services; Limited Interactivities
7. What’s Considered a Good Honeypot?
Purposes / Aims / Objectives
Attractiveness
Stickiness
Data Collection
8. Where Do I Start?
High Interactions
Throw all the security tools in there! – NIDS, HIDS, Keyloggers –
Who cares about false positives?
In-Depth Data Capturing Tools – Sebek, Qebek, Capture-HPC, DPI
Egress Traffic Control – Snort Inline, iptables
Perimeter Control – Honeywall (Roo)
SSL Proxy & Traffic Analyser – HoneyProxy
9. Where Do I Start? (cont’d)
Low Interactions
The one that emulates everything (or the common services)! – Honeyd / Tiny Honeypot
Malware – Nepenthese, Dionaea, Honeytrap
Web Application – Glastopf
SSH – Kojoney, Kippo, Secure Honey
Client – Thug
ICS/SCADA – Conpot
USB Malware – Ghost USB
10. ENISA’s
Proactive Detection of Security Incident
https://www.enisa.europa.eu/activities/cert/support/proactive-detection
20. Considerations
High or low interaction?
Which honeypot tools to use? Or should I create my own?
Physical or Virtual Environment?
Placed Insider or Outside my Production Environment?
Level of Vulnerabilities?
Legal Considerations
21. Where To Go From Here?
Google Summer of Code (GSoC) – http://www.honeynet.org/gsoc
YouTube Channel – https://www.youtube.com/user/TheHoneynetProject
The Honeynet Project Workshop!
18 – 20 May 2015
Stavanger, Norway
Tutorials – http://edgis-security.org/lab-tutorials
22. Who’s Going to BSides London?
3rd June 2015
ILEC Conference Centre
CFP – http://bit.ly/BSidesLDN2015CFP
Call for Workshops – http://bit.ly/BSidesLDN2015CFW
Rookies Track – http://bit.ly/BSidesLDN2015Mentors