This document provides an introduction and overview of honeypots including definitions, uses, types, deployment, and legal issues. It defines a honeypot as a resource designed to be attacked in order to gather information about attacks. Honeypots are used for research, understanding blackhat activities, and building better defenses. They come in low, mid, and high interaction varieties depending on how much an attacker can interact with the operating system. Deployment involves running honeypot programs on hardened machines or using unpatched servers protected by firewalls. Legal issues include privacy, entrapment, and liability concerns.

1. An Introduction to Honeypots J. Scott Christianson

2. J. Scott Christianson Experience/Education Worked for a consortium of schools for eight years Own and operate Kaleidoscope Consulting Firewall Installation Network Design M.A., Educational Technology, The George Washington University. Certifications CISSP SANS GIAC MCSE Cisco CNA 1.0, 2.0 CVE NACSE Senior Network Specialist Sonicwall SCSA Network +, etc.

3. Today’s Session What is a Honeypot? Types of Honeypots Honeypot Deployment Demonstration Legal Issues Resources

4. Honeypot Defined “ A honeypot is a resource whose value is in being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.” --Lance Spitzner “Intrusion Deception Systems”

5. Honeypot Uses Research Discover new attacks Understand the blackhat community and their attacks Build some better defenses against security threats Production Distraction Detect internal threats: “Policy/Law Enforcement” Security Assessment (Constantly monitors the average security provided by the network)

6. Honeypots Characteristics Since Honeypots are not normally used by the organization, they will only be accessed by “intruders” Honeypots collect very little data, and what they do collect is normally of high value. Honeypots all share one huge drawback; they are worthless if no one attacks them Honeypots can introduce risk to your environment.

7. Types of Honeypots Honeypots are classified by the degree an attacker can interact with the operating system The more an attacker can interact with a honeypot, the more information we can potentially gain from it, however the more risk it most likely has. Types Low-Involvement Honeypot Mid-Involvement Honeypot High-Involvement Honeypot

8. Honeypot Deployment A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, etc). A honeypot can be an unpatched server. For example, a IIS server with the default install. Use firewall to protect the outside world Hogwash (Snort based IP scrubber) http://hogwash.sourceforge.net/

9. Low/Mid Interaction Honeypot Runs on Microsoft OSs Specter can emulate one of 13 different operating systems. As of Version 6.02, the IP stack is not emulated so IP fingerprinting tools are not fooled. Custom fake password files and custom HTTP content. Pricing: full version $899, Lite $599 www.specter.com

10. Virtual Honeypots VMware ($299 from vmware.com) Host Operating Systems is Hardened Guest Operating Systems are the Honeypots (unpatched OSs)

11. Honeynets http://project. honeynet .org An extension of a Honeypot Network topology provides many advantages over standard honeypot Covert logging More points of attack for a blackhatter Looks realistic from the outside

12. Issues Raised: Privacy Electronic Communication Privacy Act (18 USC 2701-11) Federal Wiretap Statute (Title III, 18 USC 2510-22) The Pen/Trap Statute (18 USC § 3121-27)

13. Issues Raised: Entrapment Used only by defendant to avoid conviction Cannot be held criminally liable for ‘entrapment’ Applies only to law enforcement Even then, most legal authorities consider Honeynets non-entrapment

14. Issues Raised: Liability You may be liable if your Honeynet system is used to attack or damage other non-Honeynet systems. Decided at state level, not federal Civil issue, not criminal

15. Resources http://www.spitzner.net/