1 / 6

Honeypots

Honeypots. Mathew Benwell , Sunee Holland, Grant Pannell. Introduction. What is a honeypot ? “An information system resource whose value lies in unauthorized or illicit use of that resource” ( Spitzner 2003) Types of honeypots Production vs. Research

aren
Download Presentation

Honeypots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Honeypots Mathew Benwell , Sunee Holland, Grant Pannell

  2. Introduction • What is a honeypot? • “An information system resource whose value lies in unauthorized or illicit use of that resource” (Spitzner 2003) • Types of honeypots • Production vs. Research • Production – captures limited information, for mitigating risk, used in a corporate setting • Research – captures lots of information, learn about threats, develop better protection • Prevention, detection, reaction • Prevention – keeping a threat out • Detection – sensing attacks, alerting admins • Reaction – responding to a threat • Low-interaction, medium-interaction, high-interaction • More detail later on • Implementations • Honeynets/honeyfarms • Network of real computers, high risk, high information gain • Spamtraps • Honeypot used to collect spam • Usually e-mail addresses that prevent legitimate use to ensure all use is illegitimate • Usenet newsgroups lure cross-posted spam • Virtualisation • VMware • honeyd • Fake APs • Fake web servers • Network services • Emulate telnet, FTP, SMTP, POP3, HTTP • Multipurpose solutions • Mantrap, Deception Toolkit, HOACD

  3. Advantages/Disadvantages • Advantages • Data collection • Only captures relevant data • Small data sets • High value • Minimise resource usage • Less bandwidth or activity than other security implementations • Simplicity • Less complex than other security mechanisms such as Intrusion Detection Systems • Less chance of misconfiguration • Cost • No need for high resource usage • Depends on the application • Disadvantages • Single point of attack • Useless if it is not attacked • Risk • Have a risk of being exploited – depends on the type of honeypot • More detail later on • Limited view • Limited data – only captures what interacts with it and not the whole scope of the system • Cost • Deployment costs, analysis costs • Depends on the application

  4. Security & Risks • 3 Types of Honeypots Classified by Risk • Low-Interaction • Emulated Services – No requests, only Connections • Medium-Interaction • Emulated Services – Requests with Faked Responses • High-Interaction • Software/Operating System Services – Direct access to data • Emulated Software and OS needs to be up-to-date, hardened • Possible Exploitation Ø Access to OS • Buffer Overruns, etc. • Always Monitor Honeypot • Can use IDS/Firewall between Hacker and Honeypot • Log Requests, Connections, Patterns • Lack of monitoring Ø What happens? • Virtualisation (VMWare, etc.) • Can help if resources limited • Leaves host intact, runs new OS on top running OS • Virtualisation software exploitable Ø Access to host OS • Secure Honeypot By: • Physical disconnection • DMZs and ACLs (Logical) • Predict hacker entry point • Put honeypot in same zone • ACL to control access between DMZ and sensitive network • ACL to filter honeypot traffic • Honeypot Compromised? • Identity found – send bogus data • Emulated software not accurate • Exploit emulation/software/OS • Disable Honeypot • Remove Gathered Data • Spam Relay, DoS, Attack Hosts

  5. Legal Issues & Evidence • Types of Evidence • Content • Keystrokes, Actions, Requests, Credentials • Transactional • Time, Duration, Protocol, Service, Source, Destination • Entrapment • May exclude evidence • May not be relevant • Only applies if public law enforcement involved • Privacy • Laws against tracking real-time data • Law depends on location of honeypot and hacker • Production Honeypots – exempt by Service Provider Protection Law, maybe • Research Honeypots – depends if Transactional or Content data • Content data more sensitive • Prompt user that all activity is logged? • No certain decision yet (2003) • Integrity of Evidence • Identity of Honeypot Compromised Ø Bogus Data & Patterns • Not all data sent to honeypot is malicious Ø Routine Network Broadcasts • Limited View on Network Ø May not be relevant to legitimate hosts • Always log! Checksums, Timestamps • Chain of Custody Documentation • Preparation, Activities, Shutting Down, Copying, Analysis • Liability • If compromised, ensure honeypot not used to attack other hosts or organisations • Hacker liable? Administrator liable? • Yet to have certain decision (2003) • Cannot re-attack hacker, classed as DoS!

  6. Recommendation • VMware - Research • High-Interaction • Easy preservation of memory contents • Easy duplication of disk contents • System easily restored • May be less likely to stand up in court • Ensure host system is appropriately secured • Use host integrity checks to verify host security • Honeyd - Production • Medium-Interaction • Mimics any service • Mimics multiple operating systems • Not a full operating system so reduces some honeypot risks

More Related