Slide 1: Good morning!!!! Introduction to honeypots What is a honeypot? : Introduction to honeypots What is a honeypot? Abstract definition:
“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.”
“A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited and compromised.” Introduction to honeypots How to classify a honeypot? : Introduction to honeypots How to classify a honeypot? Honeypots are classified
by their deployment
by the level of involvement
High-interaction honeypot Introduction to honeypots Production honeypot : Introduction to honeypots Production honeypot Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations.
They are placed inside the production network with other production servers.
The purpose of a production honeypot is to help mitigate risk in an organization.
They adds value to the security measures of an organization. Introduction to honeypots Research honeypot : Introduction to honeypots Research honeypot Research honeypots do not add direct value to a specific organization.
Their job is to gain information on the attackers.
Research honeypots are complex to deploy and maintain, capture extensive information.
They are used primarily by research, military, or government organizations. Introduction to honeypots Low-interaction honeypots in detail : Introduction to honeypots Low-interaction honeypots in detail Low-interaction honeypots are typically the easiest honeypots to install, configure, deploy and maintain.
They partially emulate a service (e.g. Unix telnet server) or operating system and limit the attacker’s activities to the level of emulation provided by the software.
Most importantly there is no interaction with the underlying operating system (at least there shouldn’t be). Introduction to honeypots Advantages of low-interaction honeypots : Introduction to honeypots Advantages of low-interaction honeypots Easy to install, configure, deploy and maintain
Introduce a low or at least limited risk
Many ready-to-use products are available
Logging and analyzing is simple
only transactional information are available, no information about the attacks themselves, e.g. time and date of an attack, protocol, source and destination IP as well as port Introduction to honeypots Disadvantages of low-interaction honeypots : Introduction to honeypots Disadvantages of low-interaction honeypots No real interaction for an attacker possible.
Very limited logging abilities.
Can only capture known attacks.
Easily detectable by a skilled attacker. Introduction to honeypots High-interaction honeypots in detail : Introduction to honeypots High-interaction honeypots in detail High-interaction honeypots are the extreme of honeypot technologies.
Provide an attacker with a real operating system where nothing is emulated or restricted.
Ideally you are rewarded with a vast amount of information about attackers, their motivation, actions, tools, behaviour, level of knowledge, origin, identity etc.
Try to control an attacker at the network level. Introduction to honeypots Advantages of high-interaction honeypots : Introduction to honeypots Advantages of high-interaction honeypots You will face real-life data and attacks so the activities captured are most valuable.
Learn as much as possible about the attacker, the attack itself and especially the methodology as well as tools used.
High-interaction honeypots could help you to prevent future attacks and get a certain understanding of possible threats. Introduction to honeypots Disadvantages of high-interaction honeypots : Introduction to honeypots Disadvantages of high-interaction honeypots Building, configuring, deploying and maintaining a high-interaction honeypot is very time consuming as it involves a variety of different technologies (e.g. firewall etc.) that has to be customized.
Analyzing a compromised honeypot is extremely time consuming (40 hours for every 30 minutes an attacker spend on a system!) and difficult.
A high-interaction honeypot introduces a high level of risk and - if there are no additional precautions in place - might put an organizations overall IT security at stake. Detection of honeypotsTechniques of local detection : Detection of honeypotsTechniques of local detection Technical properties of the honeypot
Respond times, banners, registry entries, inconsistent parameters
“Social” properties of the system, user interaction
No typical usage (e.g. no new files created or accessed on a server for more than a week…)
Packets going to/from the system (sniffing may be done from an different system on the network if possible)
Search for traces of Vmware
Vmware is a popular platform for honeypots, but it can be detected locally Honeypot DetectionTechniques of local detection (cont.) : Honeypot DetectionTechniques of local detection (cont.) Search for traces of honeypot tools
Temp folders, kernel dumps, backdoors.
Search for the history files/logs and other configuration errors
Not only bad guys make mistakes .
Vulnerabilities/exploits for the honeypot product itself (low-interaction honeypots only)
Just be creative. Honeypot DetectionRemote detection techniques : Honeypot DetectionRemote detection techniques This one is much harder: Inconsistency is your best friend (only applies to low-interaction honeypots!)...
Technical properties of the honeypot
Respond times, banners, registry entries, inconsistent responses or parameters
Vulnerabilities/exploits for the honeypot
Could lead to the detection of the honeypot (still waiting for the first honeypots scanners…) Spam honeypots : Spam honeypots Simply put a honeypot with a SMTP service running in your own IP range. Everyone accessing this service can be added on your black-list of spammers. This list can be used by your real mail gateway not to accept mails from these addresses (email and ip).
If you don't want to build your own open relay honeypot, you can simply download a complete package like Jackpot, which is a ready-to-run Simple Mail Transport Protocol (SMTP) relay honeypot called Bubblegum Proxypot.
Spam honeypots could also be used for statistic spam analysis (e.g. where are the spammers coming from, how many messages are they sending etc?). ConclusionComing closer to the end… : ConclusionComing closer to the end… Honeypot is a security resourse whose value lies in being probed, attacked or compromised.
Analyzing compromised honeypots supports you in getting a certain understanding of tools, methodologies and avenues used by attackers in the wild (may improve your own hacking skills as well as defence strategies!)
Honeypots are a quite new field of research, lot’s of work has still to be done. Honeypot : Honeypot Thanks for your patience
I would now like to
answer your questions. Slide 18: ANY QUERIES??? Slide 19: THANK YOU!!!