Presentation on theme: "Honeypot Research Hung Nguyen Brendan Roberts Comp 4027 Forensic and Analytical Computing."— Presentation transcript:
Honeypot Research Hung Nguyen Brendan Roberts Comp 4027 Forensic and Analytical Computing
Overview Scope What is Needed – How will Honeypot Software help? – What will the intended result be? Risks and Mitigation Strategies Pros/Cons of Honeypot Software Recommendations
Scope Supervisor has assigned us the task of gathering evidence of illicit activity on a host machine. Supervisor expresses concerns that a particular server has been infiltrated in the past. And So... – We need to be able to detect any intrusions – We need to be able to gather enough information about the intrusion so as to prosecute the perpetrators(s).
What is needed? Deployment of Honeypot Software suggested… – Need to maintain the integrity of the system – Need to be able to detect that an intrusion has occurred – Need to be able to log illicit activity that occurs.
How Will Honeypot Software Help? Allows us to set up a decoy system – A system that is designed to be attacked – Imitates the original server, without exposing the server to further illicit activity when intrusion occurs – Gives us the tools to monitor this activity to be used as evidence.
Intended Results… Work out if intrusions are occurring – Workout how these intrusions are occurring and what the target of the intrusion is – Preventing intrusions in this way in the future, if possible Catching the perpetrator – Having enough evidence that they are doing something wrong by accessing the network – Prosecution
Risks and Mitigation Strategies Allowing the Network to be further exposed by the Decoy system (preventing jump-off attacks) – Need to consider where in the system architecture the decoy system is placed We are assuming that intruders are ‘hacking in’, rather than the perpetrator being inside the organisation. Can Either place the Honeypot external to the network, or if a Demilitarised Zone exists, place it there.
Risks and Mitigation Strategies Honeypot Discovery – If the Honeypot is discovered, the intruder may be deterred from doing something wrong. Can by mitigated by making sure the victim/decoy system is as clean as possible of any evidence of anything about Honeypots or Intrusion Detection Systems.
Risks and Mitigation Strategies Honeypot is too enticing, inviting and entrapping perpetrators Don’t Advertise/invite the perpetrators in Keep everything on the decoy system as it was on the real system, rather than being more enticing.
Risks and Mitigation Strategies Sensitivity of content on the real system – If the content on the real system is Sensitive Imperative to the smooth running of workflow in the institution Private or Confidential –.. Is it possible to make false data to go on to the decoy system so as to avoid exposing the real data
Pros/Cons Pros: – Allows detection and dealing with intrusions without compromising the original system, by setting up a decoy / victim system. Cons: – If the Honeypot system is broken out of, then what? Is the system compromised again? – Incorrect server architecture may not correctly identify the intruder (for example if an insider can intrude from inside the network, then having a Honeypot on the external or DMZ won’t matter much)
Recommendations Implement a Honeypot – Interest has been sparked over HoneyD Software Open Source software developed by Niels Provos Offers tools for detection of intrusion, as well as the ability to set up virtual (Decoy) hosts on a system as various services, such as ftp or mail servers etc. Allows the virtual host to take up some or all of the unused IP addresses on the network to detect other malicious potential issues, such as worms and IP sniffing. Has the ability to assign multiple IP Addresses to the one virtual host.