Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks

1
Use of Honey-pots to Detect Exploited Systems
Across Large Enterprise Networks
http//project.honeynet.org/misc/project.html

• Ashish Gupta
• Network Security
• May 2004

2
Overview

• Motivation
• What are Honeypots?
• Gen I and Gen II
• The GeorgiaTech Honeynet System
• Hardware/Software
• IDS
• Logging and review
• Some detected Exploitations
• Worm exploits
• Sage of the Warez Exploit
• Words of Wisdom
• Conclusions

3
Why Honeynets ?

• An additional layer of security

4
Motivation

• Security a serious problem
• Methods for detection/protection/defense
• Firewall The Traffic cop
• IDS detection and alert
• These have shortcomings
• Internal threats
• Virus laden programs
• False Positives and False negatives
• Honeynet An additional layer
• Not a panacea

5
Security A serious Problem
Firewall
IDS
A Traffic Cop Problems Internal Threats Virus
Laden Programs
Detection and Alert Problems False
Positives False Negatives
6
The Security Problem
Firewall
IDS
HoneyNets
An additional layer of security
7
Properties

• Captures all inbound/outbound data
• Standard production systems
• Intended to be compromised
• Data Capture
• Stealth capturing
• Storage location away from the honeynet
• Data control
• Protect the network from honeynets

8
Two types
Gen I
Gen II
Good for simpler attacks Unsophisticated
targets Limited Data Control
Sophisticated Data Control Stealth Fire-walling
Gen I chosen
9
(No Transcript)
10
GATech Honeynet System
Huge network
4 TB data processing/day
CONFIG
Sub-standard systems
Open Source Software
Simple Firewall Data Control
11
IDS
Invisible SNORT Monitor
Promiscuous mode
Two SNORT Sessions
Signature Analysis
Monitoring
Session 1
Packet Capture
DATA CAPTURE
Session 2
12
(No Transcript)
13
Data Analysis
SNORT
DATA CAPTURE
Requires human resources
All packet logs stored
One hour daily !
Ethereal used
Forensic Analysis
14
Detected Exploitations
16 compromises detected
Worm attacks
Hacker Attacks
15
DETECTING WORM EXPLOITS
Honey Net traffic is Suspicious
Heuristic for worm detectionFrequent port scans
Specific OS-vulnerability monitoring possible
Captured traffic helps signature development
16
SAGA of the WAREZ Hacker
Helped locate a compromised host
Honeynet
Very difficult to detect otherwise !
IIS Exploit ? Warez Server Backdoor
17
Words of Wisdom

• Start small
• Good relationships help
• Focus on Internal attacks
• Dont advertise
• Be prepared to spend time

18
Conclusion

• Helped locate compromised systems
• Can boost IDS research
• Data capture
• Distributed Honey nets ?
• Hunting down Honeypots
• http//www.send-safe.com/honeypot-hunter.php

19
Discussion

• The usefulness of the extra layer ?
• Dynamic HoneyNets
• Comparison with IDS are these a replacement or
  complementary ?

IDS
HONEY NET
20
IDS vs HoneyNet

• IDS primary function is detection and alerting
• Honeynets use IDS to detect and alert but
  nothing is done to control the threat
• Primary intent is to log and capture effects and
  activities of the threat
• Honeynets do not protect the network they have
  protection as a benefit, not intent

21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)