Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03

Agenda The Honeynet Project The Honeynet Project The Enemy The Enemy Honeypot Basics Honeypot Basics Honeypots In Use Honeypots In Use Legal Implications Legal Implications

Honeynet Project Goals Awareness: To raise awareness of the different types of honeypots that exist Awareness: To raise awareness of the different types of honeypots that exist Information: To teach and inform about the application of honeypots Information: To teach and inform about the application of honeypots Research: To spur thought provoking discussion and help drive innovation and research in this emerging space Research: To spur thought provoking discussion and help drive innovation and research in this emerging space Learn and have fun!

The Threat is Real The blackhat community is extremely active The blackhat community is extremely active – 20+ unique scans a day (20/hour on UW network) – Fastest time honeypot manually compromised, 15 minutes: worm, 92 seconds – Default RH 6.2 life expectancy is 72 hours (fresh Windows 2000 install on UW network: 2 hours) – 100% - 900% increase of activity from 2000 to 2001 – Its only getting worse

Tier I The best of the best Ability to find new vulnerabilities Ability to write exploit code and tools Tier II IT savvy Ability to program or script Understand what the vulnerability is and how it works Intelligent enough to use the exploit code and tools with precision Tier III “Script Kiddies” Inexpert Ability to download exploit code and tools Very little understanding of the actual vulnerability ➢ Randomly fire off scripts until something works Know Your Enemy

Rising Attack Sophistication Black hats have the initiative; attack whatever they want, whenever they want Black hats have the initiative; attack whatever they want, whenever they want Public knows very little about the black hats (Who are they? How do they attack? Why?) Public knows very little about the black hats (Who are they? How do they attack? Why?) Arms races, and the bad guys are always ahead Arms races, and the bad guys are always ahead

Methodology One of the most common tactics seen is attacking targets of opportunity One of the most common tactics seen is attacking targets of opportunity –“Drive by shootings on the information superhighway” Scanning as many systems as possible and going for the easy kill Scanning as many systems as possible and going for the easy kill If only 1% of systems are vulnerable, and you scan over 1 million hosts, you can potentially hack into 10,000 systems If only 1% of systems are vulnerable, and you scan over 1 million hosts, you can potentially hack into 10,000 systems

What are they looking for? #!/bin/sh echo " Caut carti de credit si incerc sa salvez in card.log" touch /dev/ida/.inet/card.log egrep -ir 'mastercard|visa' /home|egrep -v cache >>card.log egrep -ir 'mastercard|visa' /var|egrep -v cache >>card.log egrep -ir 'mastercard|visa' /root|egrep -v cache >>card.log if [ -d /www ]; then egrep -ir 'mastercard|visa' /www >>card.log fi

Evolution Firewalls Firewalls – Early 90’s – Must have – deployed before anything else Intrusion Detection System (IDS) Intrusion Detection System (IDS) – Mid to late 90’s – We can’t guard everything, so let’s watch the network for suspicious traffic Honeypots Honeypots – Early 2000 – Not only do we want to know when the black hats are attacking, but also answer the question, Why? – Let’s learn rather than just react

Concept of Honeypots A security resource who’s value lies in being probed, attacked or compromised A security resource who’s value lies in being probed, attacked or compromised Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise Used for monitoring, detecting and analyzing attacks Used for monitoring, detecting and analyzing attacks

The Role Of Honeypots In The Enterprise Augments Firewalls and IDS Augments Firewalls and IDS Research Research Incident Response / Forensics Incident Response / Forensics Deception / Deterrence Deception / Deterrence

Advantages ● Fidelity – Information of high value Reduced false positives Reduced false positives Reduced false negatives Reduced false negatives Simple concept Simple concept Not resource intensive Not resource intensive Return on Investment Return on Investment

Disadvantages ● Labor/skill intensive ● Risk ● Limited field of view ● Does not protect vulnerable systems

Today's honeypots Military, government organizations, security companies applying the technologies Military, government organizations, security companies applying the technologies Primarily to identify threats and learn more about them Primarily to identify threats and learn more about them Commercial application increasing everyday Commercial application increasing everyday

Utility – Identifying new exploits

Future Honeypots are now where firewalls were eight years ago Honeypots are now where firewalls were eight years ago Beginning of the “hype curve” Beginning of the “hype curve” Predict you will see five more commercial honeypots by the end of 2003 Predict you will see five more commercial honeypots by the end of 2003 Enhanced policy enforcement capabilities Enhanced policy enforcement capabilities Advance development in Open Source solutions Advance development in Open Source solutions Integrated firewall/IDS/honeypot appliances Integrated firewall/IDS/honeypot appliances

Gen II Honeynet

Virtual Honeynet

Live Demo

Top 10 attacked ports

Attacks logged

IRC traffic plugin output

Legal Issues Entrapment Entrapment Liability Liability Privacy Privacy

Entrapment Applies only to law enforcement Applies only to law enforcement Useful only as defense in criminal prosecution Useful only as defense in criminal prosecution Still, most legal authorities consider honeypots non-entrapment Still, most legal authorities consider honeypots non-entrapment

Liability Any organization may be liable if their honeypot is used to attack or damage third parties. Any organization may be liable if their honeypot is used to attack or damage third parties. –Civil issue, not criminal Example: T.J. Hooper v. Northern Barge Corp. (No weather radios) Example: T.J. Hooper v. Northern Barge Corp. (No weather radios) –Decided at state level, not federal This is why the Honeynet Project focuses so much attention on Data Control. This is why the Honeynet Project focuses so much attention on Data Control.

Privacy No single federal statute (USA) concerning privacy No single federal statute (USA) concerning privacy Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968) Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968) –Title I: Wiretap Act (18 USC ) –Title II: Stored Communications Act (18 USC ) –Title III: Pen/Trap Act (18 USC § )

Questions? Slides available at: Slides available at: