Honeypots and Honeynets

1
Honeypots and Honeynets

• Source The HoneyNet Project http//www.honeynet.o
  rg/
• Mehedy Masud
• September 16, 2009
• mehedy_at_utdallas.edu

2
Why HoneyPots

• A great deal of the security profession and the
  IT world depend on honeypots. Honeypots
• Build anti-virus signatures.
• Build SPAM signatures and filters.
• ISPs identify compromised systems.
• Assist law-enforcement to track criminals.
• Hunt and shutdown botnets.
• Malware collection and analysis.

3
What are Honeypots

• Honeypots are real or emulated vulnerable systems
  ready to be attacked.
• Primary value of honeypots is to collect
  information.
• This information is used to better identify,
  understand and protect against threats.
• Honeypots add little direct value to protecting
  your network.

4
Types of HoneyPot

• Server Put the honeypot on the Internet and let
  the bad guys come to you.
• Client Honeypot initiates and interacts with
  servers
• Other Proxies

5
Types of HoneyPot

• Low-interaction
• Emulates services, applications, and OSs.
• Low risk and easy to deploy/maintain, but capture
  limited information.
• High-interaction
• Real services, applications, and OSs
• Capture extensive information, but high risk and
  time intensive to maintain.

6
Types of HoneyPot

• Production
• Easy to use/deploy
• Capture limited information
• Mainly used by companies/corporations
• Placed inside production network w/other servers
• Usually low interaction
• Research
• Complex to maintain/deploy
• Capture extensive information
• Primarily used for research, military, or govt.
  orgs

7
Examples Of Honeypots

• BackOfficer Friendly
• KFSensor
• Honeyd
• Honeynets

Low Interaction
High Interaction
8
Honeynets

• High-interaction honeypot designed to capture
  in-depth information.
• Information has different value to different
  organizations.
• Its an architecture you populate with live
  systems, not a product or software.
• Any traffic entering or leaving is suspect.

9
How It Works

• A highly controlled network where every packet
  entering or leaving is monitored, captured, and
  analyzed.
• Data Control
• Data Capture
• Data Analysis

10
Honeynet Architecture
11
Data Control

• Mitigate risk of honeynet being used to harm
  non-honeynet systems.
• Count outbound connections.
• IPS (Snort-Inline)
• Bandwidth Throttling

12
No Data Control
13
Data Control
14
Data Capture

• Capture all activity at a variety of levels.
• Network activity.
• Application activity.
• System activity.

15
Sebek

• Hidden kernel module that captures all host
  activity
• Dumps activity to the network.
• Attacker cannot sniff any traffic based on magic
  number and dst port.

16
Sebek Architecture
17
Honeywall CDROM

• Attempt to combine all requirements of a
  Honeywall onto a single, bootable CDROM.
• May, 2003 - Released Eeyore
• May, 2005 - Released Roo

18
Roo Honeywall CDROM

• Based on Fedora Core 3
• Vastly improved hardware and international
  support.
• Automated, headless installation
• New Walleye interface for web based
  administration and data analysis.
• Automated system updating.

19
Installation

• Just insert CDROM and boot, it installs to local
  hard drive.
• After it reboots for the first time, it runs a
  hardening script based on NIST and CIS security
  standards.
• Following installation, you get a command prompt
  and system is ready to configure.

20
Further Information

• http//www.honeynet.org/
• http//www.honeynet.org/book

21
Network Telescope

• Also known as a darknet, internet motion sensor
  or black hole
• Allows one to observe different large-scale
  events taking place on the Internet.
• The basic idea is to observe traffic targeting
  the dark (unused) address-space of the network.
• Since all traffic to these addresses is
  suspicious, one can gain information about
  possible network attacks
• random scanning worms, and DDoS backscatter
• As well as other misconfigurations by observing
  it.

22
Honeytoken

• honeytokens are honeypots that are not computer
  systems.
• Their value lies not in their use, but in their
  abuse.
• As such, they are a generalization of such ideas
  as the honeypot and the canary values often used
  in stack protection schemes.
• Honeytokens can exist in almost any form,
• from a dead, fake account to a
• database entry that would only be selected by
  malicious queries,
• making the concept ideally suited to ensuring
  data integrityany use of them is inherently
  suspicious if not necessarily malicious.

23
Honeytoken

• In general, they don't necessarily prevent any
  tampering with the data,
• but instead give the administrator a further
  measure of confidence in the data integrity.
• An example of a honeytoken is a fake email
  address used to track if a mailing list has been
  stolen

24
Honeymonkey

• HoneyMonkey,
• short for Strider HoneyMonkey Exploit Detection
  System, is a Microsoft Research honeypot.
• The implementation uses a network of computers
• to crawl the World Wide Web searching for
  websites that use browser exploits to install
  malware on the HoneyMonkey computer.
• A snapshot of the memory, executables and
  registry of the honeypot computer is recorded
  before crawling a site.
• After visiting the site, the state of memory,
  executables, and registry is compared to the
  previous snapshot.
• The changes are analyzed to determine whether the
  visited site installed malware onto the honeypot
  computer.

25
Honeymonkey

• HoneyMonkey is based on the honeypot concept,
  with the difference that it actively seeks
  websites that try to exploit it.
• The term was coined by Microsoft Research in
  2005.
• With honeymonkeys it is possible to find open
  security holes that aren't yet publicly known but
  are exploited by attackers.

26
Tarpit

• A tarpit (also known as Teergrube, the German
  word for tarpit) is a service on a computer
  system (usually a server) that delays incoming
  connections for as long as possible.
• The technique was developed as a defense against
  a computer worm, and
• the idea is that network abuses such as spamming
  or broad scanning are less effective if they take
  too long.
• The name is analogous with a tar pit, in which
  animals can get bogged down and slowly sink under
  the surface.