honeypots and honeynets
DESCRIPTION
Honeypots and Honeynets. Alex Dietz. Purpose. To discover methods used to breach a system To discover new root kits To learn what changes are made to a system and their effects To not be discovered To discourage an attack. Production honeypot vs Research honeypot. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/1.jpg)
Honeypots and Honeynets
Alex Dietz
![Page 2: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/2.jpg)
Purpose
• To discover methods used to breach a system• To discover new root kits• To learn what changes are made to a system
and their effects• To not be discovered• To discourage an attack
![Page 3: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/3.jpg)
Production honeypot vs Research honeypot
• Production honey pots are easy to use and capture only limited amount of information
• Research honeypots are complex and expensive to maintain
![Page 4: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/4.jpg)
Honeypots vs Honeynets
• Honeypots are usually a complete system or virtual machine and are low-interaction.
• Honeynets are second generation honeypots and are very high-interaction
![Page 5: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/5.jpg)
Both must provide
• Data capture• Data control• Data analysis
![Page 6: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/6.jpg)
Data capture and Staying undetected
• Log information to a remote server• Use software to detect changes to files• Use a rootkit to hide all logging services– Implements its own TCP/IP stack to prevent
logging traffic from being detected
![Page 7: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/7.jpg)
Data control
• Try to prevent outgoing malicious traffic– Use a honey wall
Traditionally a layer 2 bridging device thathas no IP stack, meaning the device should be invisible to anyone interacting with the honeypots or honeynets.
img: http://honeynet.org/papers/honeynet/
![Page 8: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/8.jpg)
Data analysis
• Typically done by people viewing logs– Realtime– Logs
Img: Kent State University
![Page 9: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/9.jpg)
Legality and Liability
• The operator can be held accountable if the honeypot is compromised and used to launch additional attacks.
-Varies state by state• Can violate the Federal Wiretap Act
-Under most situations they are exemptEx. Attacker sets up an IRC server and users connect without knowing the system has been compromised
![Page 10: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/10.jpg)
Honeypots and honeynets are flexible
• Using virtual machines honeypots and honeynets can be set up with many different configurations– Using a virtual machine lowers its security
![Page 11: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/11.jpg)
img: google.com/support
• Can also connect to webservers to determine their malicious nature– Most search engines do this as they crawl
webpages
![Page 12: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/12.jpg)
Summery
• Honeypots are a great detection mechanism• Honeynets are an excellent research tool• Can be configured to fit any need or cost• Poorly controlled honeypots and honeynets
can get you in trouble
![Page 13: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/13.jpg)
SoftwareOpen source Commercial
HoneyDwww.honeyd.org
Symantec Decoy Serverenterprisesecurity.symantec.com/products/products.cfm?ProductID=157
LaBrea TarpitLabrea.sf.net
Specterwww.specter.com
SebekProject.honeynet.org/tools/sebek
![Page 14: Honeypots and Honeynets](https://reader036.vdocuments.mx/reader036/viewer/2022062410/56816334550346895dd3be28/html5/thumbnails/14.jpg)
? ?
?