Honeypots. Security on Offense. by Kareem Sumner

Transcription

1 Honeypots Security on Offense by Kareem Sumner

2 Agenda Introduction What Are Honeypots? Objectives Successful Deployment Advantages And Disadvantages Types Of Honeypots Honeypot Software Future of Honeypots/Honeynets Analysis Legal Issues Conclusion Questions? June 5, 2003 Security Architecture

3 What Are Honeypots? Any device designed to attract intruders so that their activities can be monitored without risk to production systems or data (Honeypot Effectiveness Study) Entices blackhat attackers and examines them as they exploit vulnerabilities within the decoy system June 5, 2003 Security Architecture

4 Objectives Research Primarily to collect information on the blackhat community Act as counter-intelligence They try to find out who is the threat, why and how they attack, the tools used, and when they will likely attack again June 5, 2003 Security Architecture

5 Objectives Production Collect forensic evidence that can lead to the capture or prosecution of intruders System is taken offline for a full forensic analysis The information is given to law enforcement for prosecution June 5, 2003 Security Architecture

6 Types of Honeypots Port Monitors Simplest form of honeypot Listens for traffic on ports usually scanned by blackhats Deception Systems Responds to the intruder like a production server Multi-protocol Deception Systems Capable of having multi-protocols and banners to emulate software for different Operating Systems Full Systems Deployed strictly for deception Send alerts for exceptional conditions June 5, 2003 Security Architecture

7 Honeynets Similar to a research honeypot A network of multiple honeypot systems Uses multiple Operating Systems simultaneously More risky than a single honeypot More administrative overhead June 5, 2003 Security Architecture

8 Honeynets Data Control The activity of the intruder must be contained Prevent attacks on other production systems Data Capture Covertly captures all of the activity Data Collection (Distributed environment) Multiple honeynets connected together Combination of all data is centrally located June 5, 2003 Security Architecture

9 Deploying a Successful Honeypot Appear as generic as possible without any alterations to the operating system Not allow intruders to compromise production systems within the network or outside the network Contain real and interesting information to attract intruders long enough to track their moves Placed in the front of a firewall, in the DMZ (Demilitarization Zone), or behind a firewall June 5, 2003 Security Architecture

10 Advantages Act as deterrence to intruder attacks Produce forensic evidence that is admissible in a court of law Usually only accept hostile activity Reduces False Positives and Negatives Learn incident response to attacks Divert intruders from the production system Detect inside attacks June 5, 2003 Security Architecture

11 Disadvantages Used to compromise other systems Add complexity to a network Need maintenance like production systems Advertising honeypots of its existence may not deter intruders June 5, 2003 Security Architecture

12 Honeypot Software BackOfficer Friendly (Windows-Based) Very simple, low-interaction Sends out false replies to the intruder Specter Emulates services and a variety of OSes Honeyd (Unix Platform) Open Source honeypot Dynamically interact with intruders Emulates over 400 different OSes and thousands of different computers, simultaneously Mantrap A mid-high level interaction honeypot Create up to four sub-systems called jails June 5, 2003 Security Architecture

13 Honeypot Future GenII Honeynets Capture the activities of more sophisticated blackhats Manage data control, capture and collection on the same system More stealth in detection and have complete control over inbound and outbound traffic June 5, 2003 Security Architecture

14 Honeypot Future Virtual Honeynets Merge all of the essentials (data capture, control and collection) onto a single physical system Each honeypot acts as a separate OS nothing is emulated Cut costs and the amount of resources (systems and devices) needed to deploy a honeynet June 5, 2003 Security Architecture

15 Analysis Established policies Production or Research honeypot? Use a layered approach Firewall and Router (first layer) IDS (second layer) Honeypots (third layer) June 5, 2003 Security Architecture

16 Legal Issues Entrapment ( A person is entrapped when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case Honeypots do not encourage criminal activity A compromised system used to attack other production systems either in the same network or over the Internet Privacy issues concerning the recording of the intruder s activities June 5, 2003 Security Architecture

17 Conclusion Honeypots are extremely useful as countermeasures from intruder attacks on systems One can learn the intent, the tools used and the possible vulnerabilities that exist in a production network The more complex the security measure, the more likely there will be vulnerabilities open to exploit The amount of risk involved stems from the type of honeypot, its deployment, and its complexity The best security measures are those that are well written, defined, and adhered to June 5, 2003 Security Architecture

18 Questions?