Honey PotHoney Pot

Presented ByPresented ByShubha JoshiShubha JoshiM.Tech(CS)M.Tech(CS)

Be afraidBe very afraid

    

Problems with internetWhy?

Problems

• The Internet security is hard– New attacks every day– Our computers are static targets

• What should we do?

•The more you know about your enemy, the better you can protect yourself

•Fake target?

Solutions? Air Attack

Real Fake

A Detected….

ContentsContents• What are Honey pots?What are Honey pots?

• EtymologyEtymology

• HistoryHistory

• ClassificationClassification

• How do Honey pot work?How do Honey pot work?

• AdvantagesAdvantages

• DisadvantagesDisadvantages

• HoneydHoneyd

• Honey NetsHoney Nets

• Google Hack Honey potGoogle Hack Honey pot

• ConclusionConclusion

Honeypot – What is it?Honeypot – What is it?A honeypot is an information system resource A honeypot is an information system resource whose value lies in unauthorized or illicit use whose value lies in unauthorized or illicit use of that resource.of that resource.

• Has no production value; anything going Has no production value; anything going to/from a honeypot is likely a probe, attack to/from a honeypot is likely a probe, attack or compromiseor compromise

• Used for monitoring, detecting and analyzing Used for monitoring, detecting and analyzing attacksattacks

• Does not solve a specific problem. Instead, Does not solve a specific problem. Instead, they are a highly flexible tool with they are a highly flexible tool with different applications to security. different applications to security.

Continue….Continue….

• A trap set to detect and deflect attempts at A trap set to detect and deflect attempts at unauthorized use of information systems.unauthorized use of information systems.

• It consist of a computer, data or a network site that It consist of a computer, data or a network site that appears to be part of a network but which is actually appears to be part of a network but which is actually isolated & protected.isolated & protected.

• Whatever they capture is supposed to be malicious & Whatever they capture is supposed to be malicious & unauthorized.unauthorized.

EtymologyEtymology

• The term refer to the English children’s character The term refer to the English children’s character “Winnie-the-Pooh” “Winnie-the-Pooh”

• During the cold war it was a technique which inspired During the cold war it was a technique which inspired spy fiction.spy fiction.

• It is a reflection of the sarcastic term for outhouses It is a reflection of the sarcastic term for outhouses and other methods of collecting human waste in places and other methods of collecting human waste in places that lack indoor plumbing.that lack indoor plumbing.

History of Honeypots• 1990/1991 The Cuckoo’s Egg (Clifford Stoll) and

Evening with Berferd (Bell Cheswick)

• 1997 - Deception Toolkit

It is one of the original & landmark honey pots. It is generally a collection of PERL scripts designed for UNIX system

• 1998 - CyberCop Sting

It is a component of the CyberCop intrusion protection software family which runs on NT. It is referred as “decoy” server as it can emulate a big network containing several different types of network devices.

• 1998 - NetFacade (and Snort)

It has same functionality as Cybercop but in a much larger space.

Continue….Continue….• 1998 –1998 – Back Officer Friendly Back Officer Friendly

It runs in Windows and was free thus giving more It runs in Windows and was free thus giving more people access to Honey pot Technology.people access to Honey pot Technology.

• 1999 -1999 - Formation of the Honey net Project Formation of the Honey net Project

A group of people led by “A group of people led by “Lance SpitznerLance Spitzner”, form this ”, form this project which is dedicated to researching the black project which is dedicated to researching the black hat community and to share their work to others.hat community and to share their work to others.

• 2003 –2003 – Some Honey pot Tools Some Honey pot Tools

Snort-Inline 12:Snort-Inline 12: used not only to detect but also to used not only to detect but also to block & disable attack.block & disable attack.

Sebek:Sebek: used to capture hacker activities by logging used to capture hacker activities by logging their keystrokes.their keystrokes.

Virtual Honey nets:Virtual Honey nets: used to deploy multiple honey used to deploy multiple honey nets with just one computer.nets with just one computer.

ClassificationClassification• By level of interactionBy level of interaction

• HighHigh

• LowLow

• By ImplementationBy Implementation

• VirtualVirtual

• PhysicalPhysical

• By purposeBy purpose

• ProductionProduction

• ResearchResearch

Level of InteractionLevel of Interaction

Interaction defines the level of activity a honey Interaction defines the level of activity a honey

pot allows an attackerpot allows an attacker

• Low InteractionLow Interaction

• Simulates some aspects of the systemSimulates some aspects of the system

• Easy to deploy, minimal riskEasy to deploy, minimal risk

• Limited InformationLimited Information

• HoneydHoneyd

• High InteractionHigh Interaction

• Simulates all aspects of the OS: real Simulates all aspects of the OS: real systemssystems

• Can be compromised completely, higher riskCan be compromised completely, higher risk

• More InformationMore Information

• Honey-netHoney-net

Level of InteractionLevel of Interaction

Operating system

Fake D

aemon

Disk

Other local resource

Low

High

Difference b/w Low & High Difference b/w Low & High

InteractionInteractionLow-interactionSolution emulates operating systems and services. Easy to install and deploy. Usually requires simply installing and configuring software on a computer. Minimal risk, as the emulated services control what attackers can and cannot do.Captures limited amounts of information, mainly transactional data and some limited interaction.

High-interactionNo emulation, real operating systems and services are provided.Can capture far more information, including new tools, communications, or attacker keystrokes.Can be complex to install or deploy (commercial versions tend to be much simpler). Increased risk, as attackers are provided real operating systems to interact with

Physical V.S. Virtual Physical V.S. Virtual HoneypotsHoneypots

• Two typesTwo types

– PhysicalPhysical

• Real machinesReal machines

• Own IP AddressesOwn IP Addresses

• Often high-interactiveOften high-interactive

– VirtualVirtual

• Simulated by other machines that:Simulated by other machines that:

– Respond to the traffic sent to the honeypotsRespond to the traffic sent to the honeypots

– May simulate a lot of (different) virtual May simulate a lot of (different) virtual

honeypots at the same timehoneypots at the same time

Production Honey Pots : Protect the Production Honey Pots : Protect the systemssystems

Production Honey pots are systems that are used in Production Honey pots are systems that are used in

organization to mitigate risk. They helps in organization to mitigate risk. They helps in

securing systems & network. securing systems & network.

The security has been divided into three The security has been divided into three

categories:categories:

• PreventionPrevention

• Keeping the bad guys out Keeping the bad guys out

• not effective prevention mechanisms.not effective prevention mechanisms.

• Deception, Deterence, Decoys do NOT work Deception, Deterence, Decoys do NOT work

against automated attacks: worms, auto-against automated attacks: worms, auto-

rooters.rooters.

Continue…..Continue…..

• DetectionDetection

• Detecting the attacker when he breaks in.Detecting the attacker when he breaks in.

• Great workGreat work

• ResponseResponse

• Can easily be pulled offline Can easily be pulled offline

• Little to no data pollutionLittle to no data pollution

Research HPs: gathering Research HPs: gathering informationinformationThey capture extensive information and are used They capture extensive information and are used

primarily by research, military, government primarily by research, military, government

organization. They can be used as:organization. They can be used as:

• To capture automated threats, such as worms or auto-To capture automated threats, such as worms or auto-

rootersrooters

• To Discover new Tools and TacticsTo Discover new Tools and Tactics

• As an early warning mechanism, predicting when future As an early warning mechanism, predicting when future

attacks will happen attacks will happen

• To better understand attackers' motives and To better understand attackers' motives and

organization organization

• Develop Analysis and Forensic SkillsDevelop Analysis and Forensic Skills

• To capture unknown tools or techniquesTo capture unknown tools or techniques

HoneyPot A

Gateway

Attackers

Attack Data

How do HPs work?Prevent

DetectResponse

Monitor

No connection

AdvantagesAdvantages

• Small data sets of high value Small data sets of high value

• New tools and tacticsNew tools and tactics

• Minimal resources Minimal resources

• Information Information

• SimplicitySimplicity

DisadvantagesDisadvantages

• Limited viewLimited view:: They can only track and capture They can only track and capture

activity that directly interacts with them activity that directly interacts with them

• Risk:Risk: They have the risk of being taken over by They have the risk of being taken over by

the bad guy and being used to harm other systemsthe bad guy and being used to harm other systems

HoneydHoneyd

• A virtual honey pot application, which allows us to A virtual honey pot application, which allows us to

create thousands of IP addresses with virtual machines create thousands of IP addresses with virtual machines

and corresponding network services.and corresponding network services.

• ItIt is open source software released under GNU General is open source software released under GNU General

Public License.Public License.

• It is able to simulate big network on a single host.It is able to simulate big network on a single host.

• It provide simple functionality.It provide simple functionality.

Working of HoneydWorking of Honeyd

Honey Honey

netnet

What is a HoneynetWhat is a HoneynetA Honey net are prime example of High-Interaction A Honey net are prime example of High-Interaction honey pots. It is basically an architecture, an honey pots. It is basically an architecture, an entire network of computers designed to be entire network of computers designed to be attacked.attacked.

• It is an architecture, not a product or software.It is an architecture, not a product or software.

• Once compromised, data is collected to learn the Once compromised, data is collected to learn the tools, tactics, and motives of the blackhat tools, tactics, and motives of the blackhat community. community.

• Populate with real systems.Populate with real systems.

• High-interaction honey pot designed to:High-interaction honey pot designed to:

– capture in-depth capture in-depth informationinformation

– learn who would like to use your learn who would like to use your

system without your permissionsystem without your permission

How it worksHow it works

• A highly controlled network where every packet A highly controlled network where every packet

entering or leaving is monitored, captured, and entering or leaving is monitored, captured, and

analyzed.analyzed.

• Any traffic entering or leaving the Honeynet is Any traffic entering or leaving the Honeynet is

suspect by nature.suspect by nature.

Honey-net ArchitectureHoney-net Architecture

• The key to the honey net architecture is “Honey The key to the honey net architecture is “Honey wall”. This is a gateway device that separates your wall”. This is a gateway device that separates your honey pots from the rest of the world.honey pots from the rest of the world.

• Any traffic going to or from the honey pots must go Any traffic going to or from the honey pots must go through the honey wall.through the honey wall.

• This gateway is traditionally a layer 2 bridging This gateway is traditionally a layer 2 bridging device, meaning the device should be invisible to device, meaning the device should be invisible to anyone interacting with the honey pots. anyone interacting with the honey pots.

There are several key requirements that a honey wall There are several key requirements that a honey wall must implement:must implement:

Data Control:Data Control: defines how activity is contained with defines how activity is contained with the honey net without an attacker knowing it. Its the honey net without an attacker knowing it. Its purpose is to minimize risk. purpose is to minimize risk.

Data Capture:Data Capture: It is capturing all of the attacker's It is capturing all of the attacker's activity without the attacker knowing it. activity without the attacker knowing it.

Data Analysis:Data Analysis: It is the ability to analyze this It is the ability to analyze this data data

Data Collection:Data Collection: It is the ability to collect data It is the ability to collect data from multiple honey nets to a single source.from multiple honey nets to a single source.

Of all these requirements, Data Control is the more Of all these requirements, Data Control is the more important. Data Control always takes priority as its important. Data Control always takes priority as its role is to mitigate risk. role is to mitigate risk.

Honey net AdvantagesHoney net Advantages

• High Data ValueHigh Data Value

• Small DataSmall Data

• Low Resource CostLow Resource Cost

• Weak or Retired systemWeak or Retired system

• Simple Concept, Flexible ImplementationSimple Concept, Flexible Implementation

• Return on InvestmentReturn on Investment

• Proof of EffectivenessProof of Effectiveness

• Catch new attacksCatch new attacks

Risk & IssuesRisk & Issues

• In reference to risk, there are four general areas In reference to risk, there are four general areas we will cover;we will cover;

Harm :Harm :when a honey net is used to attack or harm when a honey net is used to attack or harm other, non-honey net systems. other, non-honey net systems.

Detection:Detection: Once the true identity of a honey net Once the true identity of a honey net has been identified, its value is dramatically has been identified, its value is dramatically reduced reduced

Disabling:Disabling: Attackers may want to not only detect Attackers may want to not only detect a honey net's identity, but disable its Data a honey net's identity, but disable its Data Control or Data Capture capabilitiesControl or Data Capture capabilities

Violation:Violation: Attackers may attempt criminal Attackers may attempt criminal activity from your compromised honey net without activity from your compromised honey net without actually attacking anyone outside your honey net.actually attacking anyone outside your honey net.

What’s The Difference b/w What’s The Difference b/w honeypot & Honeynethoneypot & Honeynet

• Honeypots use known vulnerabilities to attract Honeypots use known vulnerabilities to attract

attackers.attackers.

– Configure a single system with special software or Configure a single system with special software or

system emulationssystem emulations

– Want to find out actively who is attacking the Want to find out actively who is attacking the

systemsystem

• Honeynets are networks open to attackHoneynets are networks open to attack

– Often use default installations of system softwareOften use default installations of system software

– Capture extensive amount of informationCapture extensive amount of information

– Basically a collection of Honey potsBasically a collection of Honey pots

Google Hack HoneypotGoogle Hack Honeypot

• Google Hack Honey pot Google Hack Honey pot emulates a vulnerable emulates a vulnerable web application by web application by allowing itself to be allowing itself to be indexed by search indexed by search engines. engines.

• It's hidden from It's hidden from casual page viewers, casual page viewers, but is found through but is found through the use of a crawler the use of a crawler or search engine.or search engine.

• The transparent link The transparent link will reduce false will reduce false positives.positives.

ConclusionConclusion

• Honeypots are not a solution, they are a flexible Honeypots are not a solution, they are a flexible

tool with different applications to security.tool with different applications to security.

• Primary value in detection and information Primary value in detection and information

gathering.gathering.

• Just the beginning for honeypots.Just the beginning for honeypots.

ThanksThanks

Queries??Queries??