Title: The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems
1The Honeynet Project Trapping the HackersLance
Spitzner, Sun Microsystems
Presented by Vikrant Karan
2Outline
- The Honeynet Project
- Honeypots Not just for bears anymore
- Different kinds of honeynets
- What the honeynet collects
- The legal ramifications of operating a honeypot
- Conclusion
3The Honeynet Project
- Few questions in front of security professionals
- What specific threats do computer networks face
from hackers? - Who's perpetrating these threats and how?
4The Honeynet Project
- The Honeynet Project is an organization dedicated
to answering these questions. It studies the bad
guys and shares the lessons learned. The group
gathers information by deploying networks (called
honeynets) that are designed to be compromised.
5The Honeynet Project
- a security-research organization dedicated to
learning the black-hat community's tools,
tactics, and motives and then sharing any lessons
learned. - The organization comprises international security
professionals who volunteer their time and
resources to deploy networks (or honeynets) that
are designed to be attacked. - The team then analyzes the information collected
from these attacks.
6The Honeynet Project
- began in 1999 as an informal mailing list of a
small group of individuals - Official declaration in June 2000
- board of directors, including Bruce Schneier,
George Kurtz, Elias Levy, and Jennifer Granick. - Honeynet Research Alliance's include
organizations in Brazil, Greece, India, Mexico,
Ireland, and the United States. -
7Four phases of honeynet project
- Phase 1
- began in 1999 and lasted two years
- Gen 1 of first generation honeynet acted as proof
of concept. - Successfully captured automated attacks such as
autorooters and worms.
8Four phases of honeynet project
- Phase 2
- began in 2002 and will continue for two years.
- GenII honeynets, will feature more advanced
methods to monitor and control attacker's
activities. - Published 3 papers and deployed the first
wireless honeynet in 2002 in Washington, DC - More improved and easy to deploy solutions.
9Four phases of honeynet project
- Phase 3
- begins in 2003 and should last approximately one
year - Apply Gen2 technology into bootable CD-ROM.
- Organizations only need to boot the CD-ROM to get
honeynet functionality. - It allows to log all captured activities in a
centralized data base.
10Four phases of honeynet project
- Phase 4
- Will begin in 2004.
- to develop a centralized data collection system
that correlates data from multiple distributed
honeynets and user interfaces to analyze them. - Two interfaces selected
- Locally on each honeynet to analyze data.
- To analyze data collected from multiple honeynet
and store all these data in a single data base.
11Honeypots Not just for bears anymore
- A security resource whose value lies in being
probed attacked, or compromised. - if any packet or any interaction is attempted
with your honeypot, it's most likely a probe,
scan or attack - Honeypots get little traffic, but what they do
get is of high value. - Disadvantages
- limited view field they only capture activity
directed towards them, thus missing some of the
attacks directed towards servers. - It may be used to attack other systems.
12Categories of honeypots
- Production honeypots
- protect the organization
- directly increase resource security
- organizations can prevent, detect, or respond to
attacks. - Research honeypots
- gathers information on attackers.
- Distributed research honeypots can gather
information on a global scale - production honeypots is easier to deploy but
capture less information on attackers.
13Data capture and data control system
- Data capture ensures that you can detect and
capture all the attacker's activities, even if
they are obfuscated or encrypted. - Data control's purpose is to reduce risk it
ensures that once an attacker breaks into your
honeynet's systems, those compromised systems
cannot be used to attack or harm other systems.
14Different kinds of honeynets
- A honeynet is essentially a research honeypot
its purpose is to collect information on
attackers. - it uses real systems and applications.
- Gen 1 honeynet
-
15Gen 1 honeynet
16Gen 1 honeynet (contd)
- Honeynet is a contained environment in which you
can watch everything happening. - Positioned in this environment are the target
systems (highlighted in yellow). - counts the number of outbound connections.
- systems initiate a certain number of outbound
connections and then block any further links once
the limit is met. - Useful for blocking denial of service attacks
scans, or other malicious activity - But, gives attacker more room to attack.
17Gen 2 honeynet
18Gen 2 honeynet(contd..)
- This forces all traffic going to and from the
honeynet systems to first flow through an
"invisible" layer-two bridge - This bridge lets the bad guys come in, but it
controls what they can do on their way out. - layer-two bridging device (called the honeynet
sensor in the figure) isolates and contains
systems in the honeynet. - allows outbound activity but removing the ability
to harm. - a second layer of data control an IPS (or
intrusion prevention system) gateway
19Snort inline
- an open-source IDS technology
- Instead of blocking detected outbound attacks, we
modify and disable them - One risk is the chance that the IDS gateway will
not detect a new or obfuscated attack
20Snort inline example
21Snort inline (contd..)
- Snort-Inline signature used to modify and disable
a known DNS attack using the replace option. - Highlighted in bold is the command used to modify
and disable the attack.
22Data capture elements
- Layer 1 The IDS gateway that identifies and
blocks attacks passively sniffs every packet and
its full payload on the network. - Layer2 the firewall log packet-filtering
mechanism to block outbound connections once a
connection limit is met. - layer 3 is for capturing the attacker's
keystrokes and activity on the system.
23Data capture elements
- Honeynet Project has developed kernel modules to
insert in target systems. - These capture all the attacker's activities, such
as encrypted keystrokes or scp. - The IDS gateway captures all the data and dump
the data generated by the attackers without
letting attacker know. - multiple layers of data capture help ensure that
we gain a clear perspective of the attacker's
activities.
24Examples
- Honeynet Project has actively deployed different
types of operating systems in its honeynets - Solaris-, OpenBSD-, Linux-, and Window-based
honeypots. - Windows worms or simple automated attacks, such
as scans for open shares or pop-up - Linux systems commonly known vulnerabilities and
automated attack tools, such as TESO's wu-ftpd
massrooter. - Solaris and Open BSD more advanced or
interesting attacks, such as the use of IPv6
tunneling
25What the honeynet collects
- Data captured in Jan 2002 Captured IP protocol
11 packet sent to the hacked honeypot. The
command is encoded to obfuscate its purpose
26Captured data
27Decoded Packet
28Figure explanation
- an example of how commands were remotely sent to
the hacked system. - actual command being executed on the remote
system. - attacker is telling our hacked honeypot to
download a tool from another hacked site, run the
tool, and then delete the downloaded binary. - In this case, the tool was used to proxy IRC
sessions.
29The legal ramifications of operating a honeypot
- Three legal issues need to be considered
- take into account the laws that restrict your
right to monitor user activities on your system - recognize and address the risk that attackers
will misuse your honeypot to harm others. - defendant could argue that your undercover server
entrapped him or her
30Monitoring users
- Monitoring can be made improper by statutes
(state and federal), privacy or employment
policies, terms-of-service agreements, - Honeypots monitors the user traffic, therefore it
should be designed carefully.
31Limitations in US Constitution and federal
statutes
- Fourth Amendment It can restrict monitoring and
evidence obtained from monitoring in violation of
the Constitution can be suppressed at trial - Wiretap Act It forbids anyone from intercepting
communications unless one of the exceptions
listed in the act applies. - Patriot Act expressly authorizes warrantless
monitoring of hackers by the government in
certain situations.
32Limitations in US Constitution and federal
statutes(contd..)
- Harming others Pay attention to your honeypot to
reduce the risk that it will be used for illegal
purposes. - Entrapment This issue has been overstated by the
critique.
33Conclusion
- Honeynet technology collect valuable information
which can avoid security risks. - honeynets' real potential will not be realized
until organizations can effectively deploy
multiple honeynets and correlate the information
they collect - bootable CD ROM, which will make honeynets much
easier to deploy and standardize the information
they collect.