Overview Intrusion Detection w ith � Motivation Honeypots � What is a honeypot? � Types of honeypots � What can you do with them? Claire O’Shea � Problems with honeypots COMP 290 – Spring 2005 Overview Motivation � Examples of honeypots � Key to effective intrusion detection is • “An Evening with Berferd” information • Honeyd • Learn more about past attacks • Honeynets • Detect currently occurring attacks • Identify new types of attacks � Summary • Do all this in real time Motivation Motivation � Other methods we have seen for doing � Both these methods involve dealing with this: a very large data set! • Scan packets for specific signatures • Takes time to analyze • False positives and false negatives: hard to (signature-based detection) • Look for deviations from normal traffic define what is “suspicious activity” • The relevant data may not even be recorded (anomaly-based detection) • Ex: snort will not detect a shrew attack � This is where honeypots come in…
What is a honeypot? What is a honeypot? “A honeypot is an information system resource � The basic idea: set up a “normal” but whose value lies in unauthorized or illicit use of unused computer on your network that resource.” • Nobody knows it’s there, so it should get no -- Lance Spitzer legitimate network traffic • Any traffic it gets is malicious by definition � Could be… • All interactions with the honeypot are logged • A password file on a remote machine • An Excel spreadsheet • An entry in a database • A computer on a network This is the kind of honeypot we will talk about! What is a honeypot? Types of honeypots � Advantages of using a honeypot � To an attacker, a honeypot should • Small, valuable data sets: no normal traffic, always look like a normal computer – only attacks but what is it really? • Very few false positives or false negatives • It could actually be a normal computer • Uses minimal resources • It could be a simulation of certain aspects of • Easy to set up and use a computer • Can capture new types of attacks • Different types of honeypots are useful for • Can gather detailed information about attacks different purposes Types of honeypots Low -interaction honeypots � Two basic categories: � Attacker interacts with a “simulated” computer • Low-interaction honeypots � Many levels of simulation possible • Network stack • High-interaction honeypots • Services • Operating system
Low -interaction honeypots Low -interaction honeypots � Advantages � One real machine can simulate a whole • Very simple network of virtual honeypots • Low-risk (attacker never gets into a real system) • Require very minimal resources Architecture of Honeyd, � Disadvantages a low-interaction honeypot. • Only collect limited information Only the router and the Honeyd machine (10.0.0.2) are real • Might not detect new types of attacks computers! • Easy for attacker to detect Low -interaction honeypots High-interaction honeypots � Mostly used for intrusion detection on � Real machines running real services real networks � We assume that these machines will be • More specifics on this later compromised! • All interactions with the machines are � Examples of low-interaction honeypots • Specter monitored and logged, providing detailed information about what the attacker did • Honeyd • KFSensor High-interaction honeypots High-interaction honeypots � Two main requirements of this � Fishbowl analogy framework • Set up a framework that provides • Data Control – prevent the attacker from data logging and security (the using the honeypots to harm other machines fishbowl) • Within that framework, put machines • Data Capture – record all the attacker’s that you want the attacker to interact activities with (the rocks, plants, etc) • Watch how the attacker (the fish) • Both of these should be invisible to the interacts with the machines attacker!
High-interaction honeypots High-interaction honeypots � Advantages � Mostly used for research • Capture a detailed profile of an attack • Georgia Tech runs a Honeynet • Can capture new types of attacks � Generally not used for intrusion detection � Disadvantages • Too expensive to set up and maintain • Difficult to set up a good high-interaction � Examples of high-interaction honeypots honeypot • Symantec Decoy Server • May put other machines in your network at • Honeynets risk • Monitoring the honeypots is time-intensive Uses of honeypots Uses of honeypots � What can you do with a honeypot? � Decoys • Populate all unused addresses on your � Intrusion detection/prevention • Lots of ways to use a honeypot as part of network with honeypots • Attacker has to waste time trying to attack the your security system • Most honeypot research is in this area honeypots • Slows down the spread of worms � Attack analysis • Slows down and annoys human attackers (maybe • Observe attackers’ behavior and develop enough to make them go away?) better tools to guard against it • Still a fairly new field! Uses of honeypots Uses of honeypots � Tarpits � Tarpits (continued) • Intended to slow an attacker down • Open mail relays • Labrea Tarpit • The honeypot offers an anonymous mail relay (which attracts spammers) • Allows attacker to open a TCP connection, then • Responds very slowly to SMTP commands reduces window size to 0 • Forces spammers to waste time interacting with • Attacker can’t get any data through, and can’t the honeypot close the connection • Honeypot may pretend to forward the mail, but • Connection uses up resources on the attacker’s actually drop it system
Uses of honeypots Uses of honeypots � Automatic signature � Burglar alarms generation • When the honeypot is compromised, admins • Honeycomb – a plug-in for know that an attack is going on in their network honeyd • Honeypot logs provide detailed information about • Detects patterns in the logged the attack data, creates Snort and Bro • Some evidence (from GT Honeynet) that signatures attacks can be predicted a few days in • Works fairly well with no human advance, based on abnormal activity on the input, and much faster than honeypots manual signature generation Uses of honeypots Problems w ith honeypots � Many more ways to use honeypots � So what’s wrong with honeypots? • Identify zero-day worms • Attacker may do bad things with the • Disrupt DDoS attacks compromised system • Attacker may discover that the system is a • Monitor botnets honeypot • Etc… • Legal concerns • Difficult to catch more intelligent attackers with honeypots Problems w ith honeypots Problems w ith honeypots � Once a honeypot is compromised… � What if the attacker detects the • It may be used to attack other machines (on honeypot? • Detection before the attack your network or elsewhere). • Preventing this should be the top priority of a • A smart attacker might check whether a machine honeynet – but no guarantees! is a honeypot before trying to compromise it • It may be used for criminal activity (ex. • If the disguise fails at this stage, the honeypot is useless – we have not learned anything about the serving illegal files) attacker • If any of this is detected, it will initially be blamed on you!
Problems w ith honeypots Problems w ith honeypots • Detection after the attack � Legal concerns • The honeypot has still collected useful data! • Privacy – anybody interacting with the • If it is a burglar alarm, its work is done at this point; honeypot does not know that the interactions detection doesn’t matter • If it is a research honeypot intended to gather long- are being logged • This is OK if it is done for security reasons term data on the attacker, detection is a big problem! (Service Provider Protection) • How will the attacker respond? • Avoid logging certain things (ex. IRC servers) • Abandon the honeypot • Disable its functionality (logging, etc) • Introduce false information into the logs Problems w ith honeypots Problems w ith honeypots � What kind of attackers can a � Legal concerns honeypot catch? • Liability – if your honeypot is used to attack • It depends on the “bait” you use someone else, can they sue you? • Normal machines will mostly • You intentionally allowed the attacker to get in, so attract automated attacks you may be blamed • To catch specific threats (like • All this is speculation; honeypots are a new credit card thieves) you need a technology, so there are no precedents honeypot that “looks” valuable to • But these concerns can make admins them! • This is very hard to do, so it’s nervous about deploying honeypots! hardly ever done! Examples of honeypots “An Evening With Berferd” � “Berferd” � The classic paper on honeypots: Bill Cheswick, “An Evening with Berferd: In � Honeyd (a low-interaction honeypot) Which a Cracker is Lured, Endured, and � Honeynets (a high-interaction honeypot) Studied.” (1991) • Cheswick, a network admin at Bell Labs, detects an attacker trying to break into the system and decides to see what he does…
Recommend
More recommend
