use of honey-pots to detect exploited systems across large enterprise networks
DESCRIPTION
http://project.honeynet.org/misc/project.html. Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks. Ashish Gupta Network Security May 2004. Overview. Motivation What are Honeypots? Gen I and Gen II The GeorgiaTech Honeynet System Hardware/Software IDS - PowerPoint PPT PresentationTRANSCRIPT
Use of Honey-pots to Detect Exploited Systems Across Large
Enterprise Networks
Ashish GuptaNetwork Security
May 2004
http://project.honeynet.org/misc/project.html
Overview
• Motivation• What are Honeypots?
– Gen I and Gen II• The GeorgiaTech Honeynet System
– Hardware/Software– IDS– Logging and review
• Some detected Exploitations– Worm exploits– Sage of the Warez Exploit
• Words of Wisdom• Conclusions
Why Honeynets ?
An additional layer of security
Security: A serious Problem
Firewall IDS
A Traffic Cop
Problems:
Internal Threats
Virus Laden Programs
Detection and Alert
Problems:
False Positives
False Negatives
The Security Problem
Firewall IDS
HoneyNets
An additional layer of security
• Captures all inbound/outbound data• Standard production systems• Intended to be compromised• Data Capture
– Stealth capturing– Storage location – away from the honeynet
• Data control– Protect the network from honeynets
Two types
Gen I Gen II
Good for simpler attacks
Unsophisticated targets
Limited Data Control
Sophisticated Data Control : Stealth Fire-walling
Gen I chosen
GATech Honeynet System
Huge network
4 TB data processing/day
CONFIG Sub-standard systems
Open Source Software
Simple Firewall Data Control
IDSInvisible SNORT Monitor
Promiscuous mode
Two SNORT Sessions
Session 1 Signature Analysis Monitoring
Session 2 Packet Capture DATA CAPTURE
Data Analysis
One hour daily !
Requires human resources
Forensic Analysis
SNORT DATA CAPTURE
All packet logs stored
Ethereal used
Detected Exploitations
16 compromises detected
Worm attacks Hacker Attacks
Honey Net traffic is Suspicious
Heuristic for worm detection:Frequent port scans
Specific OS-vulnerability monitoring possible
Captured traffic helps signature development
DETECTING WORM EXPLOITS
SAGA of the WAREZ Hacker
Helped locate a compromised host
Honeynet
IIS Exploit Warez Server
+ Backdoor
Very difficult to detect otherwise !
Words of Wisdom
• Start small• Good relationships help• Focus on Internal attacks• Don’t advertise• Be prepared to spend time
Conclusion
• Helped locate compromised systems• Can boost IDS research
– Data capture• Distributed Honey nets ?
Discussion
• The usefulness of the extra layer ?• Dynamic HoneyNets• Comparison with IDS: are these a
replacement or complementary ?
HONEYNET
IDS