honeypots
play

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 - PowerPoint PPT Presentation

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots


  1. Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28

  2. Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots 4 Honeyd 5 Service-specific honeypots 6 Deployment strategies 7 Pros / Cons 8 Real life uses 9 10 Improvements 11 Conclusion Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 2 / 28

  3. Introduction 1 What is a honeypot? Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 3 / 28

  4. Introduction 1 What is a honeypot? 2 What are the uses for a honeypot? Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 3 / 28

  5. Introduction Figure: The key characters in our drama. Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 4 / 28

  6. Introduction 1 Example of a logged attack: http://goo.gl/phnI3 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 5 / 28

  7. History 1 Origin of the name Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28

  8. History 1 Origin of the name 2 Early manual entrapment by the Military Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28

  9. History 1 Origin of the name 2 Early manual entrapment by the Military 3 Cheswick at AT&T Bell “ I wanted to watch the cracker’s keystrokes, to trace him, learn his techniques, and warn his victims. The best solution was to lure him to a sacrificial machine and tap the connection. ... Though the Jail was an interesting and educational exercise, it was not worth the effort. It is too hard to get it right, and never quite secure. A better arrangement involves a throwaway machine with real security holes, and a monitoring machine on the same Ethernet to capture the bytes. ” Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28

  10. History Figure: Honeypot development milestones. Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 7 / 28

  11. Types of honeypots 1 There are many ways to classify honeypots Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28

  12. Types of honeypots 1 There are many ways to classify honeypots 2 The most common is by the amount of interaction provided to the malicious user: high, medium, or low Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28

  13. Types of honeypots 1 There are many ways to classify honeypots 2 The most common is by the amount of interaction provided to the malicious user: high, medium, or low 3 Other ways are by looking at the data collected and whether or not more than one honeypot is being used Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28

  14. Types of honeypots Interactive 1 Low-interaction Emulates a single service; must be simple Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28

  15. Types of honeypots Interactive 1 Low-interaction Emulates a single service; must be simple 2 Medium-interaction Emulates a group of services that could be expected on a server Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28

  16. Types of honeypots Interactive 1 Low-interaction Emulates a single service; must be simple 2 Medium-interaction Emulates a group of services that could be expected on a server 3 High-interaction Full OS is presented to attacker; most useful, but also most risky Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28

  17. Types of honeypots Type of data collected 1 Various types of data can be collected: Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

  18. Types of honeypots Type of data collected 1 Various types of data can be collected: 2 Events Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

  19. Types of honeypots Type of data collected 1 Various types of data can be collected: 2 Events 3 Attacks Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

  20. Types of honeypots Type of data collected 1 Various types of data can be collected: 2 Events 3 Attacks 4 Intrusions Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

  21. Types of honeypots System configuration 1 Stand alone Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 11 / 28

  22. Types of honeypots System configuration 1 Stand alone 2 Honeyfarm presenting a unified appearance to attacker Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 11 / 28

  23. Uses of honeypots 1 Production environments to provide information and warning Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 12 / 28

  24. Uses of honeypots 1 Production environments to provide information and warning 2 Security research trying to keep a step ahead of new attacks Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 12 / 28

  25. Uses of honeypots Figure: A example of an exposed honeypot. Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 13 / 28

  26. Honeypots as mobile code throttlers 1 Principle: Infected machines make more connections than regular ones Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28

  27. Honeypots as mobile code throttlers 1 Principle: Infected machines make more connections than regular ones 2 Sacrifice a few machines for the common good Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28

  28. Honeypots as mobile code throttlers 1 Principle: Infected machines make more connections than regular ones 2 Sacrifice a few machines for the common good 3 Prevents a virus from spreading across the network, but cannot save the system Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28

  29. Honeypots as mobile code throttlers Figure: Virus throttling Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 15 / 28

  30. Honeytokens (cost-effective honeypots) 1 Reiterate Honeypot definition: an information system resource whose value lies in the unauthorized or illicit use of that resource. Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28

  31. Honeytokens (cost-effective honeypots) 1 Reiterate Honeypot definition: an information system resource whose value lies in the unauthorized or illicit use of that resource. 2 Honeytoken is a Honeypot which is not a computer, but a digital entity. Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28

  32. Honeytokens (cost-effective honeypots) 1 Reiterate Honeypot definition: an information system resource whose value lies in the unauthorized or illicit use of that resource. 2 Honeytoken is a Honeypot which is not a computer, but a digital entity. 3 Hospital DB example Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28

  33. Honeytokens (cost-effective honeypots) Figure: Honeytoken Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 17 / 28

  34. Honeyd - Introduction 1 Honeyd - Low interaction virtual honeypot Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 18 / 28

  35. Honeyd - Introduction 1 Honeyd - Low interaction virtual honeypot 2 Deception through simulation of network stack Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 18 / 28

  36. Honeyd - Architecture Figure: Honeyd architecture. Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 19 / 28

  37. Service-specific honeypots 1 Simpler honeypots running for a specific service Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

  38. Service-specific honeypots 1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

  39. Service-specific honeypots 1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) 3 Logs interactions for later analysis Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

  40. Service-specific honeypots 1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) 3 Logs interactions for later analysis 4 Fairly safe to run on a computer, even if not dedicated Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

  41. Service-specific honeypots 1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) 3 Logs interactions for later analysis 4 Fairly safe to run on a computer, even if not dedicated 5 This idea can be applied to other services as well Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

  42. Deployment strategies 1 Sacrificial lamb Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

  43. Deployment strategies 1 Sacrificial lamb 2 Deception ports on production systems Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

  44. Deployment strategies 1 Sacrificial lamb 2 Deception ports on production systems 3 Proximity decoys Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

Recommend


More recommend