Honeypots are security resources that are designed to be probed, attacked, or compromised in order to detect unauthorized access. They work by providing resources that are expected to receive no traffic, so any traffic received is likely unauthorized. There are different types of honeypots used for law enforcement or research purposes. Honeypots excel at detection of attacks or unauthorized access due to advantages like reducing false positives and negatives and providing valuable data, but they also have disadvantages like narrow visibility and risks if used improperly. The level of interaction a honeypot allows determines how much functionality and information it can provide, with higher interaction providing more insight but also more complexity and risk.

1. Honeypots

2. Definition Any security resource who’s value lies in being probed, attacked, or compromised How honeypots work Simple concept A resource that expects no data, so any traffic to or from it is most likely unauthorized activity

3. Types Production (Law Enforcment) Research (Counter-Intelligence) What is the value of honeypots? One of the greatest areas of confusion concerning honeypot technologies. Value

4. Advantages Based on how honeypots conceptually work, they have several advantages. Reduce False Positives and False Negatives Data Value Resources Simplicity

5. Disadvantages Based on the concept of honeypots, they also have disadvantages: Narrow Field of View Risk Production Prevention Detection Response

6. Prevention Keeping the burglar out of your house. Honeypots, in general are not effective prevention mechanisms. Deception, Deterence , Decoys, are phsychological weapons. They do NOT work against automated attacks: worms auto-rooters mass-rooters

7. Detection Detecting the burglar when he breaks in. Honeypots excel at this capability, due to their advantages.

8. Response Honeypots can be used to help respond to an incident. Can easily be pulled offline (unlike production systems. Little to no data pollution.

9. Research Honeypots Early Warning and Prediction Discover new Tools and Tactics Understand Motives, Behavior, and Organization Develop Analysis and Forensic Skills

10. Level of Interaction Level of Interaction determines amount of functionality a honeypot provides. The greater the interaction, the more you can learn. The greater the interaction, the more complexity and risk.

11. Low Interaction Provide Emulated Services No operating system for attacker to access. Information limited to transactional information and attackers activities with emulated services.

12. High Interaction Provide Actual Operating Systems Learn extensive amounts of information. Extensive risk.

13. Thank you for this opportunity