260 likes | 463 Views
Agenda. The Honeynet ProjectThe EnemyHoneypot BasicsHoneypots In UseLegal Implications. Honeynet Project Goals. Awareness: To raise awareness of the different types of honeypots that existInformation: To teach and inform about the application of honeypotsResearch: To spur thought provoking dis
E N D
1. Honeypots and Honeynets
A New Responseto CybercrimeAnalysisNAAG Seattle 04/14/03 Know Your Enemy is the purpose of the Honeynet Project. The book you see listed above was written by the Project based on their two years of research . You can find out more about the book online at
http://www.honeynet.org/book/Know Your Enemy is the purpose of the Honeynet Project. The book you see listed above was written by the Project based on their two years of research . You can find out more about the book online at
http://www.honeynet.org/book/
2. Agenda The Honeynet Project
The Enemy
Honeypot Basics
Honeypots In Use
Legal Implications
3. Honeynet Project Goals Awareness: To raise awareness of the different types of honeypots that exist
Information: To teach and inform about the application of honeypots
Research: To spur thought provoking discussion and help drive innovation and research in this emerging space
4. The Threat is Real The blackhat community is extremely active
20+ unique scans a day (20/hour on UW network)
Fastest time honeypot manually compromised, 15 minutes: worm, 92 seconds
Default RH 6.2 life expectancy is 72 hours (fresh Windows 2000 install on UW network: 2 hours)
100% - 900% increase of activity from 2000 to 2001
Its only getting worse
http://www.honeynet.org/papers/stats/
Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.
5. Know Your Enemy
6. Rising Attack Sophistication Black hats have the initiative; attack whatever they want, whenever they want
Public knows very little about the black hats (Who are they? How do they attack? Why?)
Arms races, and the bad guys are always ahead
7. Methodology One of the most common tactics seen is attacking targets of opportunity
Drive by shootings on the information superhighway
Scanning as many systems as possible and going for the easy kill
If only 1% of systems are vulnerable, and you scan over 1 million hosts, you can potentially hack into 10,000 systems
8. What are they looking for? Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters.
9. Evolution Firewalls
Early 90s
Must have deployed before anything else
Intrusion Detection System (IDS)
Mid to late 90s
We cant guard everything, so lets watch the network for suspicious traffic
Honeypots
Early 2000
Not only do we want to know when the black hats are attacking, but also answer the question, Why?
Lets learn rather than just react
10. Concept of Honeypots A security resource whos value lies in being probed, attacked or compromised
Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise
Used for monitoring, detecting and analyzing attacks
11. The Role Of Honeypots In The Enterprise Augments Firewalls and IDS
Research
Incident Response / Forensics
Deception / Deterrence
12. Advantages Fidelity Information of high value
Reduced false positives
Reduced false negatives
Simple concept
Not resource intensive
Return on Investment
13. Disadvantages Labor/skill intensive
Risk
Limited field of view
Does not protect vulnerable systems
14. Today's honeypots Military, government organizations, security companies applying the technologies
Primarily to identify threats and learn more about them
Commercial application increasing everyday
15. Utility Identifying new exploits
16. Future Honeypots are now where firewalls were eight years ago
Beginning of the hype curve
Predict you will see five more commercial honeypots by the end of 2003
Enhanced policy enforcement capabilities
Advance development in Open Source solutions
Integrated firewall/IDS/honeypot appliances
17. Gen IIHoneynet
18. Virtual Honeynet
19. Live Demo
20. Top 10 attacked ports
21. Attacks logged
22. IRC traffic plugin output
23. Legal Issues Entrapment
Liability
Privacy
24. Entrapment Applies only to law enforcement
Useful only as defense in criminal prosecution
Still, most legal authorities consider honeypots non-entrapment
25. Liability Any organization may be liable if their honeypot is used to attack or damage third parties.
Civil issue, not criminal
Example: T.J. Hooper v. Northern Barge Corp. (No weather radios)
Decided at state level, not federal
This is why the Honeynet Project focuses so much attention on Data Control.
26. Privacy No single federal statute (USA) concerning privacy
Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968)
Title I: Wiretap Act (18 USC 2510-22)
Title II: Stored Communications Act (18 USC 2701-11)
Title III: Pen/Trap Act (18 USC 3121-27)
27. Questions? Emaildittrich@u.washington.edu
Slides available at:http://staff.washington.edu/dittrich/talks/NAAG.ppt