70 likes | 313 Views
Honeypots. Mathew Benwell , Sunee Holland, Grant Pannell. Introduction. What is a honeypot ? “An information system resource whose value lies in unauthorized or illicit use of that resource” ( Spitzner 2003) Types of honeypots Production vs. Research
E N D
Honeypots Mathew Benwell , Sunee Holland, Grant Pannell
Introduction • What is a honeypot? • “An information system resource whose value lies in unauthorized or illicit use of that resource” (Spitzner 2003) • Types of honeypots • Production vs. Research • Production – captures limited information, for mitigating risk, used in a corporate setting • Research – captures lots of information, learn about threats, develop better protection • Prevention, detection, reaction • Prevention – keeping a threat out • Detection – sensing attacks, alerting admins • Reaction – responding to a threat • Low-interaction, medium-interaction, high-interaction • More detail later on • Implementations • Honeynets/honeyfarms • Network of real computers, high risk, high information gain • Spamtraps • Honeypot used to collect spam • Usually e-mail addresses that prevent legitimate use to ensure all use is illegitimate • Usenet newsgroups lure cross-posted spam • Virtualisation • VMware • honeyd • Fake APs • Fake web servers • Network services • Emulate telnet, FTP, SMTP, POP3, HTTP • Multipurpose solutions • Mantrap, Deception Toolkit, HOACD
Advantages/Disadvantages • Advantages • Data collection • Only captures relevant data • Small data sets • High value • Minimise resource usage • Less bandwidth or activity than other security implementations • Simplicity • Less complex than other security mechanisms such as Intrusion Detection Systems • Less chance of misconfiguration • Cost • No need for high resource usage • Depends on the application • Disadvantages • Single point of attack • Useless if it is not attacked • Risk • Have a risk of being exploited – depends on the type of honeypot • More detail later on • Limited view • Limited data – only captures what interacts with it and not the whole scope of the system • Cost • Deployment costs, analysis costs • Depends on the application
Security & Risks • 3 Types of Honeypots Classified by Risk • Low-Interaction • Emulated Services – No requests, only Connections • Medium-Interaction • Emulated Services – Requests with Faked Responses • High-Interaction • Software/Operating System Services – Direct access to data • Emulated Software and OS needs to be up-to-date, hardened • Possible Exploitation Ø Access to OS • Buffer Overruns, etc. • Always Monitor Honeypot • Can use IDS/Firewall between Hacker and Honeypot • Log Requests, Connections, Patterns • Lack of monitoring Ø What happens? • Virtualisation (VMWare, etc.) • Can help if resources limited • Leaves host intact, runs new OS on top running OS • Virtualisation software exploitable Ø Access to host OS • Secure Honeypot By: • Physical disconnection • DMZs and ACLs (Logical) • Predict hacker entry point • Put honeypot in same zone • ACL to control access between DMZ and sensitive network • ACL to filter honeypot traffic • Honeypot Compromised? • Identity found – send bogus data • Emulated software not accurate • Exploit emulation/software/OS • Disable Honeypot • Remove Gathered Data • Spam Relay, DoS, Attack Hosts
Legal Issues & Evidence • Types of Evidence • Content • Keystrokes, Actions, Requests, Credentials • Transactional • Time, Duration, Protocol, Service, Source, Destination • Entrapment • May exclude evidence • May not be relevant • Only applies if public law enforcement involved • Privacy • Laws against tracking real-time data • Law depends on location of honeypot and hacker • Production Honeypots – exempt by Service Provider Protection Law, maybe • Research Honeypots – depends if Transactional or Content data • Content data more sensitive • Prompt user that all activity is logged? • No certain decision yet (2003) • Integrity of Evidence • Identity of Honeypot Compromised Ø Bogus Data & Patterns • Not all data sent to honeypot is malicious Ø Routine Network Broadcasts • Limited View on Network Ø May not be relevant to legitimate hosts • Always log! Checksums, Timestamps • Chain of Custody Documentation • Preparation, Activities, Shutting Down, Copying, Analysis • Liability • If compromised, ensure honeypot not used to attack other hosts or organisations • Hacker liable? Administrator liable? • Yet to have certain decision (2003) • Cannot re-attack hacker, classed as DoS!
Recommendation • VMware - Research • High-Interaction • Easy preservation of memory contents • Easy duplication of disk contents • System easily restored • May be less likely to stand up in court • Ensure host system is appropriately secured • Use host integrity checks to verify host security • Honeyd - Production • Medium-Interaction • Mimics any service • Mimics multiple operating systems • Not a full operating system so reduces some honeypot risks