Presentation Description

security communication


Presentation Transcript

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks:

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004 http://project.honeynet.org/misc/project.html


Overview Motivation What are Honeypots? Gen I and Gen II The GeorgiaTech Honeynet System Hardware/Software IDS Logging and review Some detected Exploitations Worm exploits Sage of the Warez Exploit Words of Wisdom Conclusions

Why Honeynets ?:

Why Honeynets ? An additional layer of security


Motivation Security a serious problem Methods for detection/protection/defense: Firewall: The Traffic cop IDS: detection and alert These have shortcomings: Internal threats Virus laden programs False Positives and False negatives Honeynet : An additional layer Not a panacea

PowerPoint Presentation:

Security: A serious Problem Firewall IDS A Traffic Cop Problems: Internal Threats Virus Laden Programs Detection and Alert Problems: False Positives False Negatives

PowerPoint Presentation:

The Security Problem Firewall IDS HoneyNets An additional layer of security


Properties Captures all inbound/outbound data Standard production systems Intended to be compromised Data Capture Stealth capturing Storage location – away from the honeynet Data control Protect the network from honeynets

Two types:

Two types Gen I Gen II Good for simpler attacks Unsophisticated targets Limited Data Control Sophisticated Data Control : Stealth Fire-walling Gen I chosen

GATech Honeynet System:

GATech Honeynet System Huge network 4 TB data processing/day CONFIG Sub-standard systems Open Source Software Simple Firewall Data Control

PowerPoint Presentation:

IDS Invisible SNORT Monitor Promiscuous mode Two SNORT Sessions Session 1 Signature Analysis Monitoring Session 2 Packet Capture DATA CAPTURE

Data Analysis:

Data Analysis One hour daily ! Requires human resources Forensic Analysis SNORT DATA CAPTURE All packet logs stored Ethereal used

Detected Exploitations:

Detected Exploitations 16 compromises detected Worm attacks Hacker Attacks


Honey Net traffic is Suspicious Heuristic for worm detection: Frequent port scans Specific OS-vulnerability monitoring possible Captured traffic helps signature development DETECTING WORM EXPLOITS

SAGA of the WAREZ Hacker:

SAGA of the WAREZ Hacker Helped locate a compromised host Honeynet IIS Exploit  Warez Server + Backdoor Very difficult to detect otherwise !

Words of Wisdom:

Words of Wisdom Start small Good relationships help Focus on Internal attacks Don’t advertise Be prepared to spend time


Conclusion Helped locate compromised systems Can boost IDS research Data capture Distributed Honey nets ? Hunting down Honeypots http://www.send-safe.com/honeypot-hunter.php


Discussion The usefulness of the extra layer ? Dynamic HoneyNets Comparison with IDS: are these a replacement or complementary ? HONEY NET IDS

IDS vs HoneyNet:

IDS vs HoneyNet IDS – primary function is detection and alerting Honeynets – use IDS to detect and alert – but nothing is done to control the threat Primary intent is to log and capture effects and activities of the threat Honeynets do not protect the network – they have protection as a benefit, not intent

authorStream Live Help