Presentation on theme: "HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell."— Presentation transcript:
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell
Introduction What is a honeypot? “An information system resource whose value lies in unauthorized or illicit use of that resource” (Spitzner 2003) Types of honeypots Production vs. Research Production – captures limited information, for mitigating risk, used in a corporate setting Research – captures lots of information, learn about threats, develop better protection Prevention, detection, reaction Prevention – keeping a threat out Detection – sensing attacks, alerting admins Reaction – responding to a threat Low-interaction, medium-interaction, high- interaction More detail later on Implementations Honeynets/honeyfarms Network of real computers, high risk, high information gain Spamtraps Honeypot used to collect spam Usually addresses that prevent legitimate use to ensure all use is illegitimate Usenet newsgroups lure cross-posted spam Virtualisation VMware honeyd Fake APs Fake web servers Network services Emulate telnet, FTP, SMTP, POP3, HTTP Multipurpose solutions Mantrap, Deception Toolkit, HOACD
Advantages/Disadvantages Advantages Data collection Only captures relevant data Small data sets High value Minimise resource usage Less bandwidth or activity than other security implementations Simplicity Less complex than other security mechanisms such as Intrusion Detection Systems Less chance of misconfiguration Cost No need for high resource usage Depends on the application Disadvantages Single point of attack Useless if it is not attacked Risk Have a risk of being exploited – depends on the type of honeypot More detail later on Limited view Limited data – only captures what interacts with it and not the whole scope of the system Cost Deployment costs, analysis costs Depends on the application
Security & Risks 3 Types of Honeypots Classified by Risk Low-Interaction Emulated Services – No requests, only Connections Medium-Interaction Emulated Services – Requests with Faked Responses High-Interaction Software/Operating System Services – Direct access to data Emulated Software and OS needs to be up-to-date, hardened Possible Exploitation Access to OS Buffer Overruns, etc. Always Monitor Honeypot Can use IDS/Firewall between Hacker and Honeypot Log Requests, Connections, Patterns Lack of monitoring What happens? Virtualisation (VMWare, etc.) Can help if resources limited Leaves host intact, runs new OS on top running OS Virtualisation software exploitable Access to host OS Secure Honeypot By: Physical disconnection DMZs and ACLs (Logical) Predict hacker entry point Put honeypot in same zone ACL to control access between DMZ and sensitive network ACL to filter honeypot traffic Honeypot Compromised? Identity found – send bogus data Emulated software not accurate Exploit emulation/software/OS Disable Honeypot Remove Gathered Data Spam Relay, DoS, Attack Hosts
Legal Issues & Evidence Types of Evidence Content Keystrokes, Actions, Requests, Credentials Transactional Time, Duration, Protocol, Service, Source, Destination Entrapment May exclude evidence May not be relevant Only applies if public law enforcement involved Privacy Laws against tracking real-time data Law depends on location of honeypot and hacker Production Honeypots – exempt by Service Provider Protection Law, maybe Research Honeypots – depends if Transactional or Content data Content data more sensitive Prompt user that all activity is logged? No certain decision yet (2003) Integrity of Evidence Identity of Honeypot Compromised Bogus Data & Patterns Not all data sent to honeypot is malicious Routine Network Broadcasts Limited View on Network May not be relevant to legitimate hosts Always log! Checksums, Timestamps Chain of Custody Documentation Preparation, Activities, Shutting Down, Copying, Analysis Liability If compromised, ensure honeypot not used to attack other hosts or organisations Hacker liable? Administrator liable? Yet to have certain decision (2003) Cannot re-attack hacker, classed as DoS!
Recommendation VMware - Research High-Interaction Easy preservation of memory contents Easy duplication of disk contents System easily restored May be less likely to stand up in court Ensure host system is appropriately secured Use host integrity checks to verify host security Honeyd - Production Medium-Interaction Mimics any service Mimics multiple operating systems Not a full operating system so reduces some honeypot risks