All about Honeypots & Honeynets

Sayyed Mehdi Poustchi Amin MCTS-MCITP-MCSE-MCSA-MCP IRAN Honeynet-Project Manager [email_address] 14 Oct 2008 All about Honeypots & Honeynets All about Honeypots & Honeynets

Agenda Introduction to honeypots and honeynets What is a honeypot? Benefits /Downsides of deploying a honeypot How to classify a honeypot? Advantages/Disadvantages of low-interaction honeypots Advantages/Disadvantages of high-interaction honeypots What is a honeynet? Free and commercial honeypot solutions Digest of honeypot products Installing your own honeypot How to prepare the installation of a honeypot Detection of honeypots Techniques of detection Future of honeypot technologies Honeytokens Wireless honeypots SPAM honeypots Honeypot farms Summary

Introduction to honeypots & honeynets What is a honeypot? Abstract definition: “ A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition: “ A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited and compromised.”

Introduction to honeypots & honeynets The threat is real Black hats have the initiative; attack whatever they want, whenever they want Public knows very little about the black hats (Who are they? How do they attack? Why?) Arms races, and the bad guys are always ahead See next figure

Introduction to honeypots & honeynets

Introduction to honeypots & honeynets Benefits of deploying a honeypot Risk mitigation: A honeypot deployed in a productive environment may lure an attacker away from the real production systems ( “ easy target“) . IDS-like functionality: Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. Attack strategies: Find out reasons and strategies why and how you are attacked. Identification and classification: Find out who is attacking you and classify him (her).

Introduction to honeypots & honeynets Benefits of deploying a honeypot (cont.) Evidence: Once the attacker is identified all data captured may be used in a legal procedure. Increased knowledge: By knowing how you are attacked you are able to enlarge your ability to respond in an appropriate way and to prevent future attacks. Research: Operating & monitoring a honeypot can reveal most up-to-date techniques/exploits and tools used as well as spreading techniques of worms or viruses.

Introduction to honeypots & honeynets Downside of deploying a honeypot Limited view: Honeypots can only track and capture activity that directly interacts with them. Therefore honeypots will not capture attacks against other systems . Additional risk : Deploying a honeypot could create an additional risk and eventually put a whole organizations’ IT security at risk. Just as all security related technologies honeypots have risk. Depending on the type of honeypot deployed there is the risk the system is being taken over by a bad guy and being used to harm other systems. This could lead to serious legal consequences.

Introduction to honeypots & honeynets How to classify a honeypot? Honeypots are classified by the level of interaction they provide to the attacker: Low-interaction honeypot: Only parts of (vulnerable) applications or operating systems are emulated by software (e.g. honeyd), no real interaction High-interaction honeypot: An attacker is provided with a full and working operating system enabling him/her to interact in the highest way possible. Several honeypots could be combined to an entire honeynet.

Introduction to honeypots & honeynets Advantages of low-interaction honeypot Good starting point Easy to install, configure, deploy and maintain Introduce a low or at least limited risk Logging and analyzing is simple only transactional information are available, no information about the attacks themselves, e.g. time and date of an attack, protocol, source and destination IP as well as port

Introduction to honeypots & honeynets Disadvantages of low-interaction honeypot Pretty boring :-) No real interaction for an attacker possible Very limited logging abilities Can only capture known attacks Easily detectable by a skilled attacker

Introduction to honeypots & honeynets Advantages of high-interaction honeypot This is where the fun part starts :-) You will face real-life data and attacks so the activities captured are most valuable. Learn as much as possible about the attacker, the attack itself and especially the methodology as well as tools used. High-interaction honeypots could help you to prevent future attacks and get a certain understanding of possible threats.

Introduction to honeypots & honeynets Disadvantages of high-interaction honeypot Building, configuring, deploying and maintaining a high-interaction honeypot is very time consuming as it involves a variety of different technologies (e.g. IDS, firewall etc.) that have to be customized. Analyzing a compromised honeypot is extremely time consuming (40 hours for every 30 minutes an attacker spend on a system!) and difficult (e.g. identity exploits, rootkit, system or configuration modifications etc.). A high-interaction honeypot introduces a high level of risk and - if there are no additional precautions in place - might put an organizations overall IT security at stake.

Introduction to honeypots & honeynets What is a honeynet? Honeynet is a network that contains one or more honeypots. Since honeypots are not production systems, the honeynet itself has no production activity, no authorized services. As a result, any interaction with a honeynet implies malicious or unauthorized activity. Honeynet is an architecture. This architecture creates a highly controlled network, one that you can control and monitor all activity that happens within it. You then place your target systems, your honeypots, within that architecture.

Introduction to honeypots & honeynets Honeynet Project Goals (http://www.honeynet.org) The Honeynet Project is a nonprofit organization founded in October 1999 dedicated to information security and honeypot research Awareness: Learn the Tools, Tactics, and Motives of the Hacker Community Information: To teach and inform about the application of honeypots and forensic challenges Research: To spur thought provoking discussion and help drive innovation and research in this emerging space

Introduction to honeypots & honeynets Honeynet Architecture

Introduction to honeypots & honeynets key requirements Data Control Data Control defines how activity is contained with the honeynet without an attacker knowing it. Its purpose is to minimize risk.(e.g. Snort-Inline , Bandwidth Throttling) Data Capture Data Capture is capturing all of the attacker's activity without the attacker knowing it (e.g. sebek) Data Analysis Data Analysis is the ability to analyze this data Data Collection Data Collection is the ability to collect data from multiple honeynets to a single source

Agenda Introduction to honeypots and honeynets What is a honeypot? Benefits /Downside of deploying a honeypot How to classify a honeypot? Advantages/Disadvantages of low-interaction honeypots Advantages/Disadvantages of high-interaction honeypots What is a honeynet? Free and commercial honeypot solutions Digest of honeypot products Installing your own honeypot How to prepare the installation of a honeypot Detection of honeypots Techniques of detection Future of honeypot technologies Honeytokens Wireless honeypots SPAM honeypots Honeypot farms Summary

Free & commercial honeypot solutions Digest of honeypot products BackOfficer Friendly: A free win32 based honeypot solution. It is able to emulate single services such as telnet, ftp, smtp Deception toolkit (DTK): A free and programmable solution intending to make it appear to attackers as if the system running DTK has a large number of widely known vulnerabilities . Mantrap / Decoy Server (commercial) Symantec Decoy Server sensors deliver holistic detection and response as well as provide detailed information through its system of data collection modules. Specter SPECTER offers common Internet services such as SMTP, FTP, POP3, HTTP and TELNET. They appear to be normal to the attackers but are in fact traps for them.

Free & commercial honeypot solutions Which is best? None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.

Installing your own honeypot How to prepare the installation of a honeypot Read as much as you can about honeypots. Confirm that honeypots are allowed in your environment. Define the goals of your honeypot. Why do you want to run a honeypot? Figure out what type of honeypot you will deploy Collect your own set of monitoring, logging, and forensic analysis tools. Develop a recovery plan. How are you going to restore the honeypot system back to an unaltered state ? Deploy the honeypot and its supporting components. Test the deployment. Analyze the results Fine-tune the honeypot system based on lessons learned. Repeat steps as necessary.

Installing your own honeypot How to prepare the installation of a honeypot (cont.) Low-interaction honeypot: Make sure an attacker can’t access the underlying operating system , just KEEP IT SIMPLE!. High-interaction honeypot: Use advanced network techniques to control the honeypot (e.g. firewalls, intrusion detection systems) and make sure it can’t be used to harm third parties. Don’t expect too much! In the beginning don’t force yourself too much. You will probably want to catch 0-day exploits but that is a *long* way to go! Start with something simple. Wipe the hard drive before using it in a honeypot

Installing your own honeypot How to prepare the installation of a honeypot (cont.) Copy the evidence before analyzing it (e.g. with dd). Give the honeypot enough time to work. An attacker needs time to compromise a system and work with it. Just give him or her enough time to play (e.g. two weeks). Don’t put any production data on the honeypot. It’s a good idea to place pseudo-interesting data on a honeypot but just don’t put any real production data on it!

Detection of honeypots Techniques of detection Technical properties of the honeypot Respond times, banners, registry entries, inconsistent responses or parameters … “ Social” properties of the system, user interaction No typical usage (e.g. no new files created or accessed on a server for more than a week…) Network sniffing Packets going to/from the system (sniffing may be done from an different system on the network if possible) Search for traces of Vmware Vmware is a popular platform for honeypots, but it can be detected locally

Detection of honeypots Techniques of detection (cont.) Search for traces of honeypot tools Temp folders, kernel dumps, backdoors (sebek etc.) Search for the history files/logs and other configuration errors Not only bad guys make mistakes :-) Vulnerabilities/exploits for the honeypot product itself low-interaction honeypots only Just be creative :-)

Detection of honeypots Examples of honeypot detection Inconsistencies in TCP/IP stack : Tools like hping can be used to detect incorrect TCP/IP stack emulations Normal RH9: TTL=64, window=0 , id=0, DF RH9 on vmware: TTL=64, window=0 , id=0, DF RH9 on honeyd: TTL=64, window=1460 , id=0, DF

Detection of honeypots Overview of different TCP/IP stacks A list of properties of different TCP/IP stacks could easily be build (e.g. with hping):

Future of honeypot technologies Future on the good side… Honeytokens Wireless honeypots SPAM honeypots Honeypot farms Search-engine honeypots

Future of honeypot technologies Honeytokens The concept of honeytokens is not new. Generally a honeytoken could be a bogus record in a database which is not needed by any application. If someone tries to access this an alarm can be indicated (honeypot inside an application). Example: Patient record John F. Kennedy in a hospital’s patient database. There is no such patient in the hospital.

Future of honeypot technologies Wireless honeypots Usage of honeypot technology to detect intruders of wireless networks. Other wireless technologies, like Bluetooth could be also considered.

Future of honeypot technologies Honeypot farms Farming is a solution to simplify large honeynet deployments Instead of deploying large numbers of honeypots, or honeypots on every network, you simply deploy your honeypots in a single, consolidated location. Attackers are then redirected to the farm, regardless of what network they are on or probing.

Future of honeypot technologies Search-engine honeypot A web server builds to catch attackers using a search engine (mostly Google) as an attacking tool.

Future of honeypot technologies Future on the evil side… New honeypot detection technologies Automated honeypot scanners and Anti Honeypot Technologies Honeypot exploits

Summary Coming closer to the end… Honeypots are a quite new field of research, lot’s of work has still to be done (so start your own now!) Try your first own forensic investigation by analyzing the files provided by honeynet.org :-) Analyzing compromised honeypots supports you in getting a certain understanding of tools, methodologies and avenues used by attackers in the wild (may improve your own hacking skills as well as defense strategies!)

Further information Online resources Honeynet Project, http://www.honeynet.org Lance Spitzner, “Tracking hackers”, http://www.tracking-hackers.com Lance Spitzner, “Honeypot Farms”, http://www.securityfocus.com/infocus/1720 Distributed Honeypot Project, http://www.lucidic.net Niels Provos, honeyd, http://www.honeyd.org Phrack magazine, http://www.phrack.org Lance Spitzner, “Fighting Relay Spam the Honeypot Way”, http://www.tracking-hackers.com/solutions/sendmail.html Honeynet Germany, “IT-Sicherheit in Deutschland”, http://www.honeynet.de Google.com :-)

All about Honeypots & Honeynets The end. Thanks for your patience and attention! This presentation is available online at http://www.FanavaranComputer.com/honeypot http://www.Honeynet.ir

All about Honeypots & Honeynets

More Related Content

What's hot (20)

Similar to All about Honeypots & Honeynets (20)

More from Mehdi Poustchi Amin (20)

Recently uploaded (20)

All about Honeypots & Honeynets

Editor's Notes