Honeypot 101Emil Tan, Security+, GLEG, RHCSA/RHCT

Team Lead, Edgis

Research Guide, The Honeynet Project (Singapore Chapter)

The Honeynet Project

The Honeynet Project is a leading international 501c3 non-profit security

research organisation, dedicated to investigating the latest attacks and

developing open source security tools to improve Internet security.

Founded in 1999, The Honeynet Project has contributed to fight against

malware and malicious hacking attacks and has the leading security

professional among members and alumni.

What’s a Honeypot?

Information system resources which has no production values.

Its value lies in unauthorised or illicit use of that resource.

Its value lies in being probed, attacked, or compromised.

Lance Spitzner (@lspitzner)

What can be used as a honeypot? Resources

Hardware (End-points, Servers, Standalone PCs, USB Sticks, etc.)

Software (Services, Files, etc.)

It’s all about the purposes of the honeypot

Purposes? Aims? Objectives?

Intelligence Gathering

Trend / Behaviour Analysis

Know Your Enemy (KYE)

Bait / Decoy

Narrow down further depending on who you are

Similar to Incident Reponse – SMEs v. MNCs v. Financial Institutes v. Military

High v. Low Interactions

High Interaction Honeypots

It is what it is (The actual thing)

Content Rich; The Actual Shell, Services, etc.

Low Interaction Honeypots

A program

Emulated services; Limited Interactivities

What’s a Honeynet!?

A network of honeypots

What’s Considered a Good Honeypot?

Purposes / Aims / Objectives

Attractiveness

Stickiness

Data Collection

Where Do I Start?

High Interactions

Throw all the security tools in there! – NIDS, HIDS, Keyloggers –

Who cares about false positives?

In-Depth Data Capturing Tools – Sebek, Qebek, Capture-HPC, DPI

Egress Traffic Control – Snort Inline, iptables

Perimeter Control – Honeywall (Roo)

SSL Proxy & Traffic Analyser – HoneyProxy

Where Do I Start? (cont’d)

Low Interactions

The one that emulates everything (or the common services)! – Honeyd / Tiny Honeypot

Malware – Nepenthese, Dionaea, Honeytrap

Web Application – Glastopf

SSH – Kojoney, Kippo, Secure Honey

Client – Thug

ICS/SCADA – Conpot

USB Malware – Ghost USB

ENISA’s

Proactive Detection of Security Incident

https://www.enisa.europa.eu/activities/cert/support/proactive-detection

My Beautiful Machines

Roo

Roo (cont’d)

Beeswarm

Kojoney (Low Interaction – SSH)

Kojoney (Low Interaction – SSH) (cont’d)

Kippo (Low Interaction – SSH)

Recorded TTYs by Leon van der Eijk (Chief Public Relations Officer)

Honeytrap (Low Interaction – Malware)

Dynamic Reactions to Incoming Traffics

PCAP-based Sniffer

IP_Queue Interface

Tarpit / SinkHoles

Considerations

High or low interaction?

Which honeypot tools to use? Or should I create my own?

Physical or Virtual Environment?

Placed Insider or Outside my Production Environment?

Level of Vulnerabilities?

Legal Considerations

Where To Go From Here?

Google Summer of Code (GSoC) – http://www.honeynet.org/gsoc

YouTube Channel – https://www.youtube.com/user/TheHoneynetProject

The Honeynet Project Workshop!

18 – 20 May 2015

Stavanger, Norway

Tutorials – http://edgis-security.org/lab-tutorials

Who’s Going to BSides London?

3rd June 2015

ILEC Conference Centre

CFP – http://bit.ly/BSidesLDN2015CFP

Call for Workshops – http://bit.ly/BSidesLDN2015CFW

Rookies Track – http://bit.ly/BSidesLDN2015Mentors