This document discusses honeypots and honeynets. It begins by explaining that honeypots are fake vulnerable systems used to collect information from attackers without being harmed. There are two main types - low interaction honeypots that emulate services and high interaction honeypots that use real systems. Honeynets are networks of high interaction honeypots used to capture in-depth information on attacks. The document outlines the benefits of honeypots for gathering threat intelligence and tracking attackers. It also discusses some popular honeypot tools and the growing cybersecurity market.

1. Honeypots & Honeynets
Tech Talk
June’13
Rasool Kareem Irfan | @rasoolirfan

2. Agenda
1. Preface
2. Value of Honeypot – What & Why
3. Benefits of deploying Honeypot
4. Types – Advantages & Disadvantages
5. Honeynets
• Concept
• Threat and Trends
• Architecture
6. Cyber Security Market
7. Questions
2

3. The Problem
Preface
 Hacker/ Intruder/ Attacker
 The security state of internet is
poor
 Anyone is the target..!
 Tools getting better
 Why do they attack?
3

4. Lionel Giles once said:
“Everybody can see superficially how a
battle is won; what they cannot see are the long series of
plans and combinations which have preceded the battle”

5. Evidence

6. What is Honeypot
Value of Honeypot
• Abstract definition:
• “A honeypot is an
information system resource
whose value lies in unauthorized
or illicit use of that resource.”
(Lance Spitzner)
• Concrete definition:
• “A honeypot is a fictitious
vulnerable IT system used for the
purpose of being attacked,
probed, exploited and
compromised.”
6
Their Value
• Primary value of honeypots is to collect information.
• This information is then used to better identify, understand and protect against threats.
• Honeypots add little direct value to protect your network

7. Why Honeypot
Value of Honeypot
• A great deal of the security profession (and the IT world)
depend honeypots, however few know it. Honeypots …
• • Build anti-virus signatures.
• • Intelligence gathering (Symantec / Arbor)
• • Build SPAM signatures and filters.
• • Build RBL’s (Real-time Blackhole List) for malicious websites.
• • ISP’s identify compromised systems.
• • Assist law-enforcement to track criminals.
• • Hunt and shutdown botnets.
• • Malware collection and analysis.
7

8. Benefits of deploying honeypot

9. Advantages & Disadvantages
Types
9
• Low Interaction Honeypot
• Low-interaction honeypots are typically the
easiest honeypots to install, configure, deploy
and maintain. They partially emulate a service
(e.g. Unix telnet server or Microsoft’s IIS) or
operating system and limit the attacker’s
activities to the level of emulation provided by
the software.
• Advantages
• Logging and analyzing is simple
• only transactional information are available, no
information about the attacks themselves, e.g.
time and date of an attack, protocol, source and
destination IP as well as port)
• Disadvantages
• Very limited logging abilities
• Can only capture known attacks
• Easily detectable by a skilled attacker
High Interaction Honeypot
Provide an attacker with a real operating system
where nothing is emulated or restricted.
Ideally you are rewarded with a vast amount of
information about attackers, their motivation,
actions, tools, behaviour, level of knowledge,
origin, identity etc.
Advantages
Learn as much as possible about the attacker,
the attack itself and especially the methodology
as well as tools used.
Disadvantages
Building, configuring, deploying and maintaining
a high-interaction honeypot is very time
consuming as it involves a variety of different
technologies (e.g. IDS, firewall etc.) that has to
be customized.

10. BackOfficer Friendly:
Honeypot Tools
A free win32 based honeypot solution by NFR Security (a separate Unix port is available but has
restricted functionality). It is able to emulate single services such as telnet, ftp, smtp and to rudimentary
log connection attempts
NFR® BackOfficer Friendly is a useful little burglar alarm - simple, unobtrusive, and easy to install - which
rings when someone rattles your doorknob. It identifies attacks from Back Orifice, one of the nastier
hacking applications, as well as other sorts of scans. NFR is currently offering BackOfficer Friendly as a
FREE download for personal use only
10

11. SPECTER
Honeypot Tools
SPECTER is a smart honeypot-based intrusion detection system. It simulates a vulnerable computer,
providing an interesting target to lure hackers away from the production machines. SPECTER offers
common Internet services such as SMTP, FTP, POP3, HTTP and TELNET which appear perfectly normal to
the attackers but in fact are traps for them to mess around and leave traces without even knowing that
they are connected to a decoy system, which does none of the things it appears to do, but instead logs
everything and notifies the appropriate people.
11

12. So you want to build your own honeypot
Honeypots Solutions
http://www.tracking-hackers.com/solutions/
12

13. non-profit, research organization improving the security of the Internet at no cost.
Honeynets
• Concept of honeynet
project
• High-interaction honeypot
designed to capture in-
depth information.
• Information has different
value to different
organizations.
• Its an architecture you
populate with live systems,
not a product or software.
• Any traffic entering or
leaving is suspect
• Threats
• Hundreds of scans a day.
• Fastest time honeypot manually
compromised, 15 minutes
(worm, under 60 seconds).
• Life expectancies: vulnerable
Win32 system is under three
hours, vulnerable Linux system is
three months.
• Primarily cyber-crime, focus on
Win32 systems and their users.
• Attackers can control thousands
of systems (Botnets).
13

14. Architecture
Honeynet
14
1. Data Capture
3. Data Analysis
2. Data Control

15. 15
What’s happening?
Do this knowledge need for me
Boundless Informant: US gov't collects 100 billion surveillance records a month

16. Cyber-Security Market
Growing at a CAGR of 11.3% and to Reach $120.1 Billion by 2017
The most dramatic cyber attack in recent times was that of STUXNET. In 2010, STUXNET, the first malware able
to take control of low-level industrial devices, i.e., a centrifuge of nuclear power plants was spread. This fact
made everybody reflect on the fact that cyber-security was not anymore a matter of securing servers and
software, company data and continuity, but a matter of citizen safety.
• Identity & Access Management,
• Risk & Compliance Management,
• Data Encryption,
• Data Leakage Prevention Solution,
• Data Recovery Solutions,
• UTM, Anti-Virus, IPS/IDS, Web Filtering,
• Fire-Wall, Vulnerability Management
• DDoS Protection
Reference - http://www.prweb.com/releases/cyber-security/market/prweb10700570.htm