Introduction to Honeynets

1
Introduction to Honeynets

• Ryan Smith
• UT Honeynet Project
• April, 07 2005

2
What is a Honeynet?

• A closely monitored, highly controlled network
  containing computers with no legitimate users
  (honeypots)
• The purpose of the network is to be probed,
  attacked and compromised

3
Honeynets Goals

• Gather information on the tools, tactics and
  motivations of the blackhat community
• Let them probe, attack, and exploit systems we
  control (honeypots)
• Monitor everything that the attacker does
• Prevent the compromised honeypots from being used
  to attack other hosts outside the honeynet
• Design the system in such a way that the hacker
  does not know they are on a honeynet

4
(No Transcript)
5
Honeynets Benefits

• Hackers are placed in a fishbowl by
  administrators
• A low noise environment
• Honeypots are not production systems
• No real users to change the system
• No authorized traffic on the network
• Easily see each step in the attack process
• Initial scans
• Attacks Launched
• Actions on a compromised host

6
Honeynets How Its Done

• High-Interaction Honeynets
• Use real or virtual machines
• Require constant oversight
• Low-Interaction Honeynets
• Simulate hosts on a network
• Appear to be live hosts

7
High-Interaction Honeynets

• Basic Requirements
• Data Capture
• Data Control
• Automated Alerting

8
H-I Honeynets Data Capture

• The more information we can gather from the
  honeynet the better.
• Network Based
• Firewall logs
• IDS logs
• Full packet capture
• Host Based
• Bug the honeypots to gather hackers keystrokes
  and covertly transfer that data over the network
• Forensic analysis is much easier since you know
  the system was in a sane state before the
  compromise.

9
H-I Honeynets Data Control

• Must prevent the compromised honeypots from being
  used to attack non-honeynet systems.
• Connection-Limiting Firewall
• Let inbound connections in without a problem
• Prevent large amounts of outbound connections
• Intrusion Prevention System
• Based on intrusion detection systems
• Sits in-line between honeypots and outside world
• Can selectively drop outbound attack traffic

10
H-I Honeynets Automated Alerts

• Data control is not perfect, administrators must
  be able to respond quickly to compromised
  honeypots.
• Alerts are automatically generated by
• Keystroke activity on the host
• Outbound connections from the honeynet

11
Low-Interaction Honeynets

• Scripted/Simulated environments that fool hackers
  into thinking they are on real systems
• Honeyd
• Huge number of different operating systems
• Huge number of different services for each OS
• Can simulate entire networks of hosts
• Tiny Honeypot
• Ultra-low interaction honeypot
• Allows hackers to upload tools then stores them
  for further analysis

12
Honeynet Successes

• Azusa Pacific University
• Discovered an automated, online credit card fraud
  ring based on IRC channels
• Coordinated with law enforcement to have the
  channels shut down
• Georgia Tech
• Have discovered over 150 hosts on their network
  that have been hacked
• Sandia National Labs
• Bait-and-switch honeynets to protect
  super-computing facilities

13
Any Questions?

• Thank you for your time.
• Contact
• RyanSmith_at_mail.utexas.edu
• Links
• UTComsoc.org UT Honeynet Project website
• www.honeynet.org Honeynet Project website