Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department

Friday, December 07, 2018 A honeypot is a computer system that is set up to act as a decoy to lure cyberattackers, and to detect, deflect or study attempts to gain unauthorized access to information systems. They are the highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource 2 Kantonsspital Graubunden ICT Department

Friday, December 07, 2018 A Honey Pot is an intrusion detection technique used to study hackers movements 3 Kantonsspital Graubunden ICT Department

Friday, December 07, 2018 Virtual machine that sits on a network or a client Goals Should look as real as possible! Should be monitored to see if its being used to launch a massive attack on other systems Should include files that are of interest to the hacker 4 Kantonsspital Graubunden ICT Department

Friday, December 07, 2018 By level of interaction High (complex) ex.SDS, Honynets Low (Limited) ex. Kfsensor,Specter,Honeyd By Implementation Virtual simulated by other machines Physical (Real Machines, Own IP address, By purpose Production Research 5 Kantonsspital Graubunden ICT Department

Interaction Low interaction Honeypots They have limited interaction, they normally work by emulating services and operating systems They simulate only services that cannot be exploited to get complete access to the honeypot Attacker activity is limited to the level of emulation by the honeypot Examples of low-interaction honeypots include Specter, Honeyd, and KFsensor Friday, December 07, Kantonsspital Graubunden ICT Department

Interaction High interaction Honeypots They are usually complex solutions as they involve real operating systems and applications Nothing is emulated, the attackers are given the real thing A high-interaction honeypot can be compromised completely, allowing an adversary to gain full access to the system and use it to launch further network attacks Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets Friday, December 07, Kantonsspital Graubunden ICT Department

 Physical  Real machines  Own IP Addresses  Often high-interactive  Virtual  Simulated by other machines that:  Respond to the traffic sent to the honeypots  May simulate a lot of (different) virtual honeypots at the same time Friday, December 07, 2018 Implementation 8 Kantonsspital Graubunden ICT Department

 Outside of computing, honeypot security is often used to refer to “bait” of different kinds, designed to attract and then trap someone (or something). In the IT security world, it’s a system (usually a server, which can be a dedicated machine or may be running in a virtual machine) that is set up specifically to present an attractive target for hackers and attackers.  When you have two or more honeypots that form a network or network segment, it’s called a honeynet. Friday, December 07, 2018 What is honeypot security and how is it used? 9 Kantonsspital Graubunden ICT Department

Friday, December 07, 2018 Implementation Honeypots and honeynets can be used in several different ways: 10 Kantonsspital Graubunden ICT Department

 Security researchers use honeypot security and honeynets to observe and analyze types of attacks and learn more about attackers and attack methods.  Law enforcement personnel use honeypot security and honeynets in “sting” operations, to collect forensics information to help track and catch cybercriminals and evidence used to prosecute them.  Organizations use honeypot security and honeynets to divert attackers from their production networks and systems and to confuse or mislead them with false data.  Honeypots can be valuable in detecting insider attacks as well as outside intrusions. Friday, December 07, 2018 Implementation 11 Kantonsspital Graubunden ICT Department

 Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations  Prevention  To keep the bad elements out  There are no effective mechanisms  Deception, Deterrence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters  Detection  Detecting the burglar when he breaks in  Response  Can easily be pulled offline Friday, December 07, 2018 Production 12 Kantonsspital Graubunden ICT Department

Honeypots can be deployed in a variety of locations on a network. A honeypot outside the external firewall is useful for tracking attempts to scan or attack the internal network.... A honeypot can also be placed in a DMZ to trap attacks to the public facing service. Friday, December 07, Kantonsspital Graubunden ICT Department

 Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.  Collect compact amounts of high value information  Discover new Tools and Tactics  Understand Motives, Behavior, and Organization  Develop Analysis and Forensic Skills Friday, December 07, 2018 Research 14 Kantonsspital Graubunden ICT Department

Advantages Small data sets of high value. Easier and cheaper to analyze the data Designed to capture anything thrown at them, including tools or tactics never used before Require minimal resources Work fine in encrypted or IPv6 environments Can collect in-depth information Conceptually very simple Friday, December 07, Kantonsspital Graubunden ICT Department

Disadvantages Can only track and capture activity that directly interacts with them All security technologies have risk(Legal issue) Building, configuring, deploying and maintaining a high- interaction honeypot is time consuming Difficult to analyze a compromised honeypot High interaction honeypot introduces a high level of risk Low interaction honeypots are easily detectable by skilled attackers Friday, December 07, Kantonsspital Graubunden ICT Department

Working of Honeynet – High – interaction honeypot Honeynet has 3 components: Data control Data capture Data analysis Friday, December 07, Kantonsspital Graubunden ICT Department

Working of Honeyd – Low – interaction honeypot Open Source and designed to run on Unix systems Concept - Monitoring unused IP space Friday, December 07, Kantonsspital Graubunden ICT Department

Summary Honeypot security is not acomprehensive solutins; It doesn’t take the place of strong perimeter defenses, a network intrusion detection and prevention system, good multi-factor authentication, system-level and file- level access controls, and strong encryption for mission-critical and sensitive data. It does provide a tool for greatly extending the amount of information you can gather about attempted and successful attacks beyond what an IDS can provide, and it can draw attackers away from your real resources and keep them occupied without doing harm to your production network. Because an improperly configured honeypot security system could pose a high security risk to your network and other systems or be used as part of a botnet to attack other networks, you should follow best practices and consult both an IT professional with expertise in honeypot deployment and a legal advisor before going “live” with your honeypot. Friday, December 07, Kantonsspital Graubunden ICT Department

Conclusion Not a solution! Can collect in depth data which no other technology can Different from others – its value lies in being attacked, probed or compromised Extremely useful in observing hacker movements and preparing the systems for future attacks Friday, December 07, Kantonsspital Graubunden ICT Department

References specialists/online-training-material/technical-operational#honeypots technology-How-honeypots-work-in-the-enterprise Friday, December 07, Kantonsspital Graubunden ICT Department

Thank you Q ? Friday, December 07, Kantonsspital Graubunden ICT Department