HONEYPOTS PRESENTATIONHONEYPOTS PRESENTATION

TEAM:TEAM:Ankur SharmaAnkur Sharma

Ashish AgrawalAshish Agrawal

Elly BornsteinElly Bornstein

Santak BhadraSantak Bhadra

Srinivas NatarajanSrinivas Natarajan

Topics to be coveredTopics to be covered Network IDS - Brief IntroNetwork IDS - Brief Intro What is a Honeypot ?What is a Honeypot ? Honeypot - in a Network environmentHoneypot - in a Network environment A Three Layered ApproachA Three Layered Approach Types of HoneypotTypes of Honeypot Honeypot and IDS - Traditional detection problemHoneypot and IDS - Traditional detection problem Honeypot as detection solutionHoneypot as detection solution Honeypot implementation and an example attackHoneypot implementation and an example attack Virtual HoneypotVirtual Honeypot Advantages and DisadvantagesAdvantages and Disadvantages DemoDemo ReferencesReferences

Network IDS – Brief IntroNetwork IDS – Brief Intro An IDS which detects malicious activity such as denial of service An IDS which detects malicious activity such as denial of service

attacks, port scans or even attempts to crack into computers by attacks, port scans or even attempts to crack into computers by monitoring network traffic.monitoring network traffic.

Inspect incoming network traffic and studies the packets.Inspect incoming network traffic and studies the packets.

Reads valuable information about an ongoing intrusion from Reads valuable information about an ongoing intrusion from outgoing or local traffic as well.outgoing or local traffic as well.

It can co-exist with other systems as well. For example, update It can co-exist with other systems as well. For example, update some firewalls' blacklist IP database about computers used by some firewalls' blacklist IP database about computers used by (suspected) hackers.(suspected) hackers.

What is a Honeypot ?What is a Honeypot ?

A trap set to detect, deflect and counteract A trap set to detect, deflect and counteract attempts at unauthorized use of information attempts at unauthorized use of information systems.systems.

A security resource whose value lies in being A security resource whose value lies in being probed, attacked, or compromised. probed, attacked, or compromised.

A Valuable system that can be used as A Valuable system that can be used as surveillance and early-warning tool.surveillance and early-warning tool.

Honeypot in a Network Honeypot in a Network EnvironmentEnvironment

In general, it consists of a computer or a In general, it consists of a computer or a network site that appears to be part of network network site that appears to be part of network but which is actually isolated, unprotected and but which is actually isolated, unprotected and monitored.monitored.

It can also take other forms, such as files or It can also take other forms, such as files or data records, or even unused IP address space.data records, or even unused IP address space.

Honeypot in a Network Honeypot in a Network EnvironmentEnvironment

A Three Layered ApproachA Three Layered Approach

Honeypot can be defined in a three layered Honeypot can be defined in a three layered approach:approach:

PreventionPrevention DetectionDetection ResponseResponse

A Three Layered ApproachA Three Layered Approach Prevention:Prevention: Honeypots can be used to slow down or stop Honeypots can be used to slow down or stop

automated attacks. It can utilize psychological weapons such automated attacks. It can utilize psychological weapons such as deception or deterrence to confuse or stop attacks.as deception or deterrence to confuse or stop attacks.

Detection:Detection: It is used to detect unauthorized activity and It is used to detect unauthorized activity and capture unknown attacks. Generate very few alerts, but when capture unknown attacks. Generate very few alerts, but when they do you can almost be sure that something malicious has they do you can almost be sure that something malicious has happened.happened.

Response:Response: Production honeypots can be used to respond to an Production honeypots can be used to respond to an attack. Information gathered from the attacked system can be attack. Information gathered from the attacked system can be used to respond to the break-in.used to respond to the break-in.

Types of HoneypotTypes of Honeypot

Classified based on two categories:Classified based on two categories:

Deployment Deployment 1. Production1. Production 2. Research2. Research

Levels of interactionLevels of interaction 1. Low Interaction1. Low Interaction 2. High Interaction2. High Interaction

Deployment TypesDeployment Types Production Honeypots:Production Honeypots: Easy to use, capture only limited information, and Easy to use, capture only limited information, and

primarily used by companies or corporations. They primarily used by companies or corporations. They are placed along with other production network and are placed along with other production network and help to mitigate risk in an organization.help to mitigate risk in an organization.

Research Honeypots:Research Honeypots: Run by a volunteer, non-profit research organization Run by a volunteer, non-profit research organization

or an educational institution to gather information or an educational institution to gather information about the motives and tactics of Blackhat community about the motives and tactics of Blackhat community targeting different networks.targeting different networks.

Levels of InvolvementLevels of Involvement

Low Interaction (Honeyd)Low Interaction (Honeyd) Able to simulate big network structures on a single Able to simulate big network structures on a single

host. With one single instance of the daemon, many host. With one single instance of the daemon, many different hosts running different services can be different hosts running different services can be simulated.simulated.

High Interaction (HoneyNet)High Interaction (HoneyNet) Network of real systems. A stealth inline network Network of real systems. A stealth inline network

bridge that closely monitors and controls the network bridge that closely monitors and controls the network data flow to and from the honeypots in the network. data flow to and from the honeypots in the network.

Honeypot and IDS - Traditional Honeypot and IDS - Traditional detection problemsdetection problems

Data overloadData overload False positivesFalse positives False negativesFalse negatives ResourcesResources EncryptionEncryption IPv6IPv6

Honeypot as detection solutionHoneypot as detection solution

Small data setsSmall data sets Reduced false positivesReduced false positives Catching false negativesCatching false negatives Minimal resourcesMinimal resources EncryptionEncryption IPv6IPv6

HoneydHoneyd

It's designed to be used on Unix-based It's designed to be used on Unix-based operating systems, such as OpenBSD or operating systems, such as OpenBSD or Linux; however, it may soon be ported to Linux; however, it may soon be ported to Windows. Windows.

Since this solution is OpenSource, not only is Since this solution is OpenSource, not only is it free, but we also have full access to the it free, but we also have full access to the source code, which is under the BSD license. source code, which is under the BSD license.

Continue…..Continue…..

HoneydHoneyd

The primary purpose of Honeyd is detection, The primary purpose of Honeyd is detection, specifically to detect unauthorized activity specifically to detect unauthorized activity within your organization. within your organization.

It does this by monitoring all the unused IPs in It does this by monitoring all the unused IPs in your network. your network.

Any attempted connection to an unused IP Any attempted connection to an unused IP address is assumed to be unauthorized or address is assumed to be unauthorized or malicious activity malicious activity

Example….Example….

Configuring HoneydConfiguring Honeyd

To implement Honeyd we need to compile and To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. use two tools: Arpd and Honeyd.

Arpd is used for ARP spoofingArpd is used for ARP spoofing Monitors the unused IP space and directs Monitors the unused IP space and directs

attacks to the Honeyd honeypot. attacks to the Honeyd honeypot.

Building honeypot with UMLBuilding honeypot with UML UML allows to run multiple instances of UML allows to run multiple instances of

Linux on the same system at the same timeLinux on the same system at the same time The UML kernel receives the system call from The UML kernel receives the system call from

its application and sends/requests them to the its application and sends/requests them to the host kernelhost kernel

UML has many capabilities, among themUML has many capabilities, among them It can log all the keystrokes even if the attacker uses It can log all the keystrokes even if the attacker uses

encryptionencryption It reduces the chances of revealing its identity as It reduces the chances of revealing its identity as

honeypothoneypot Makes UML kernel data secure from tampering by its Makes UML kernel data secure from tampering by its

processes.processes.

Honey NetHoney Net

Network of HoneypotsNetwork of Honeypots Supplemented by firewalls and intrusion Supplemented by firewalls and intrusion

detection system.detection system.

Advantages:Advantages: More realistic environmentMore realistic environment Improved possibility to collect dataImproved possibility to collect data

How Honey net worksHow Honey net works

A highly controlled A highly controlled network where network where every packet every packet entering or leaving entering or leaving is monitored, is monitored, captured and captured and analyzedanalyzed

Virtual HoneypotVirtual Honeypot

Virtual machines allow different OS to run at Virtual machines allow different OS to run at the same time at the same machinethe same time at the same machine

Honeypots are guest on the top of another OS.Honeypots are guest on the top of another OS. We can implement guest OS on host OS in We can implement guest OS on host OS in

two waystwo ways Raw disc- actual disc partitionRaw disc- actual disc partition Virtual disc- file on host file systemVirtual disc- file on host file system

Most Exploited Vulnerabilities Most Exploited Vulnerabilities

Top 5 most frequently exploited vulnerabilities Top 5 most frequently exploited vulnerabilities with a rating of "severe."with a rating of "severe."

The Five Most Attacked PortsThe Five Most Attacked Ports

X-Axis: Port NumberX-Axis: Port Number Y-Axis: Number of attackers with the rating of Y-Axis: Number of attackers with the rating of

“severe” per honeypot in the last week“severe” per honeypot in the last week

AdvantagesAdvantages

Productive environment: distraction from the Productive environment: distraction from the real target real target

Can peek into guest operating system at Can peek into guest operating system at anytime.anytime.

Reinstallation of contaminated guest is also Reinstallation of contaminated guest is also easy.easy.

And it is very easy way.And it is very easy way.

DisadvantagesDisadvantages

Sub-optimal utilization of computational Sub-optimal utilization of computational resources.resources.

Reinstallation of polluted system is very Reinstallation of polluted system is very difficult.difficult.

Difficulty in monitoring of such system in a Difficulty in monitoring of such system in a safe way.safe way.

Detecting the honeypot is easyDetecting the honeypot is easy

ReferencesReferences

http://www.securityfocus.comhttp://www.securityfocus.comHoneypots: Simple, Cost-Effective DetectionHoneypots: Simple, Cost-Effective Detection

Open Source Honeypots: Learning with HoneydOpen Source Honeypots: Learning with HoneydSpecter: A Commercial Honeypot Solution for WindowsSpecter: A Commercial Honeypot Solution for Windows

http://www.honeypots.net/http://www.honeypots.net/

http://en.wikipedia.org/wiki/Honeypot_(computing)http://en.wikipedia.org/wiki/Honeypot_(computing)

http://www.tracking-hackers.com/http://www.tracking-hackers.com/

Thank You!Thank You!

We are happy to answer any questions……We are happy to answer any questions……