The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems

1
The Honeynet Project Trapping the HackersLance
Spitzner, Sun Microsystems
Presented by Vikrant Karan
2
Outline

• The Honeynet Project
• Honeypots Not just for bears anymore
• Different kinds of honeynets
• What the honeynet collects
• The legal ramifications of operating a honeypot
• Conclusion

3
The Honeynet Project

• Few questions in front of security professionals
• What specific threats do computer networks face
  from hackers?
• Who's perpetrating these threats and how?

4
The Honeynet Project

• The Honeynet Project is an organization dedicated
  to answering these questions. It studies the bad
  guys and shares the lessons learned. The group
  gathers information by deploying networks (called
  honeynets) that are designed to be compromised.

5
The Honeynet Project

• a security-research organization dedicated to
  learning the black-hat community's tools,
  tactics, and motives and then sharing any lessons
  learned.
• The organization comprises international security
  professionals who volunteer their time and
  resources to deploy networks (or honeynets) that
  are designed to be attacked.
• The team then analyzes the information collected
  from these attacks.

6
The Honeynet Project

• began in 1999 as an informal mailing list of a
  small group of individuals
• Official declaration in June 2000
• board of directors, including Bruce Schneier,
  George Kurtz, Elias Levy, and Jennifer Granick.
• Honeynet Research Alliance's include
  organizations in Brazil, Greece, India, Mexico,
  Ireland, and the United States.

7
Four phases of honeynet project

• Phase 1
• began in 1999 and lasted two years
• Gen 1 of first generation honeynet acted as proof
  of concept.
• Successfully captured automated attacks such as
  autorooters and worms.

8
Four phases of honeynet project

• Phase 2
• began in 2002 and will continue for two years.
• GenII honeynets, will feature more advanced
  methods to monitor and control attacker's
  activities.
• Published 3 papers and deployed the first
  wireless honeynet in 2002 in Washington, DC
• More improved and easy to deploy solutions.

9
Four phases of honeynet project

• Phase 3
• begins in 2003 and should last approximately one
  year
• Apply Gen2 technology into bootable CD-ROM.
• Organizations only need to boot the CD-ROM to get
  honeynet functionality.
• It allows to log all captured activities in a
  centralized data base.

10
Four phases of honeynet project

• Phase 4
• Will begin in 2004.
• to develop a centralized data collection system
  that correlates data from multiple distributed
  honeynets and user interfaces to analyze them.
• Two interfaces selected
• Locally on each honeynet to analyze data.
• To analyze data collected from multiple honeynet
  and store all these data in a single data base.

11
Honeypots Not just for bears anymore

• A security resource whose value lies in being
  probed attacked, or compromised.
• if any packet or any interaction is attempted
  with your honeypot, it's most likely a probe,
  scan or attack
• Honeypots get little traffic, but what they do
  get is of high value.
• Disadvantages
• limited view field they only capture activity
  directed towards them, thus missing some of the
  attacks directed towards servers.
• It may be used to attack other systems.

12
Categories of honeypots

• Production honeypots
• protect the organization
• directly increase resource security
• organizations can prevent, detect, or respond to
  attacks.
• Research honeypots
• gathers information on attackers.
• Distributed research honeypots can gather
  information on a global scale
• production honeypots is easier to deploy but
  capture less information on attackers.

13
Data capture and data control system

• Data capture ensures that you can detect and
  capture all the attacker's activities, even if
  they are obfuscated or encrypted.
• Data control's purpose is to reduce risk it
  ensures that once an attacker breaks into your
  honeynet's systems, those compromised systems
  cannot be used to attack or harm other systems.

14
Different kinds of honeynets

• A honeynet is essentially a research honeypot
  its purpose is to collect information on
  attackers.
• it uses real systems and applications.
• Gen 1 honeynet

15
Gen 1 honeynet
16
Gen 1 honeynet (contd)

• Honeynet is a contained environment in which you
  can watch everything happening.
• Positioned in this environment are the target
  systems (highlighted in yellow).
• counts the number of outbound connections.
• systems initiate a certain number of outbound
  connections and then block any further links once
  the limit is met.
• Useful for blocking denial of service attacks
  scans, or other malicious activity
• But, gives attacker more room to attack.

17
Gen 2 honeynet
18
Gen 2 honeynet(contd..)

• This forces all traffic going to and from the
  honeynet systems to first flow through an
  "invisible" layer-two bridge
• This bridge lets the bad guys come in, but it
  controls what they can do on their way out.
• layer-two bridging device (called the honeynet
  sensor in the figure) isolates and contains
  systems in the honeynet.
• allows outbound activity but removing the ability
  to harm.
• a second layer of data control an IPS (or
  intrusion prevention system) gateway

19
Snort inline

• an open-source IDS technology
• Instead of blocking detected outbound attacks, we
  modify and disable them
• One risk is the chance that the IDS gateway will
  not detect a new or obfuscated attack

20
Snort inline example
21
Snort inline (contd..)

• Snort-Inline signature used to modify and disable
  a known DNS attack using the replace option.
• Highlighted in bold is the command used to modify
  and disable the attack.

22
Data capture elements

• Layer 1 The IDS gateway that identifies and
  blocks attacks passively sniffs every packet and
  its full payload on the network.
• Layer2 the firewall log packet-filtering
  mechanism to block outbound connections once a
  connection limit is met.
• layer 3 is for capturing the attacker's
  keystrokes and activity on the system.

23
Data capture elements

• Honeynet Project has developed kernel modules to
  insert in target systems.
• These capture all the attacker's activities, such
  as encrypted keystrokes or scp.
• The IDS gateway captures all the data and dump
  the data generated by the attackers without
  letting attacker know.
• multiple layers of data capture help ensure that
  we gain a clear perspective of the attacker's
  activities.

24
Examples

• Honeynet Project has actively deployed different
  types of operating systems in its honeynets
• Solaris-, OpenBSD-, Linux-, and Window-based
  honeypots.
• Windows worms or simple automated attacks, such
  as scans for open shares or pop-up
• Linux systems commonly known vulnerabilities and
  automated attack tools, such as TESO's wu-ftpd
  massrooter.
• Solaris and Open BSD more advanced or
  interesting attacks, such as the use of IPv6
  tunneling

25
What the honeynet collects

• Data captured in Jan 2002 Captured IP protocol
  11 packet sent to the hacked honeypot. The
  command is encoded to obfuscate its purpose

26
Captured data
27
Decoded Packet
28
Figure explanation

• an example of how commands were remotely sent to
  the hacked system.
• actual command being executed on the remote
  system.
• attacker is telling our hacked honeypot to
  download a tool from another hacked site, run the
  tool, and then delete the downloaded binary.
• In this case, the tool was used to proxy IRC
  sessions.

29
The legal ramifications of operating a honeypot

• Three legal issues need to be considered
• take into account the laws that restrict your
  right to monitor user activities on your system
• recognize and address the risk that attackers
  will misuse your honeypot to harm others.
• defendant could argue that your undercover server
  entrapped him or her

30
Monitoring users

• Monitoring can be made improper by statutes
  (state and federal), privacy or employment
  policies, terms-of-service agreements,
• Honeypots monitors the user traffic, therefore it
  should be designed carefully.

31
Limitations in US Constitution and federal
statutes

• Fourth Amendment It can restrict monitoring and
  evidence obtained from monitoring in violation of
  the Constitution can be suppressed at trial
• Wiretap Act It forbids anyone from intercepting
  communications unless one of the exceptions
  listed in the act applies.
• Patriot Act expressly authorizes warrantless
  monitoring of hackers by the government in
  certain situations.

32
Limitations in US Constitution and federal
statutes(contd..)

• Harming others Pay attention to your honeypot to
  reduce the risk that it will be used for illegal
  purposes.
• Entrapment This issue has been overstated by the
  critique.

33
Conclusion

• Honeynet technology collect valuable information
  which can avoid security risks.
• honeynets' real potential will not be realized
  until organizations can effectively deploy
  multiple honeynets and correlate the information
  they collect
• bootable CD ROM, which will make honeynets much
  easier to deploy and standardize the information
  they collect.