Introduction 1. Introduction Goal of this Presentation: To give a better understanding of the overview of our project. Such as: Researches Researches Project Plans Project Plans Customer Expectations Customer Expectations Business Case Business Case Cost Budget Cost Budget Unsolved Issues, etc Unsolved Issues, etc
2.0 Project Assumptions and Objectives Project Explanation Track attacks and log their paths Create a complete package Background 1990, first concepts of Honeypot by Clifford Stolls 1997, first toolkit released: Fred Cohen’s Deception Toolkit Other releases: CyberCop, Back Officer Friendly and Honeynet Project “Know Your Enemy”, publications
2.0 Project Assumptions and Objectives Scope Raytheon allows a great deal of freedom Add, modify and combine individual components Wireless Linksys router Honeypot software Logging station Create automatic script for setup
2.0 Project Assumptions and Objectives Major Objectives Modify wireless Linksys router Add authentication capability to router Modify honeypot open source Add unique element to open source Add logging station Separate logging from the honeypot to eliminate the chance of logging being compromised Hack our system Try hack our system and then fix and upgrade features throughout the process Project Assumptions and Objectives
2.0 Project Assumptions and Objectives Expectations Unique modification to honeypot open source code Slow down attacks in real-time to limit their bandwidth Provide a quick and easy setup Annual Quantity Raytheon may possibly continue this project in house and sell it as a package to customters
3.0 Customer Expectations Wants and Needs of the customer: The wants and needs of the customer are exactly the results of the effort that our team puts in. Not usually the norm, but its Raytheon’s only expectation that we create a working honeypot that shows off our team’s imagination and innovation. Relative importance: Strong research and development into creating a unique honeypot (priority 1) Creating a bundled software and hardware product that reflects our R & D. (priority 2)
3.0 Customer Expectations Product Specifications Technical Creating a functioning honeypot, that can be used on an infrastructure network and can effectively log and divert intruders from the production network. Performance Emulation of all the traffic directed through the router as though it was traveling through the actual production network. Quality An effective logging system to monitor which parts of the production network are being attacked. Overall Goal Provide a product that slows down an attacker by creating a simulated network environment, applicable in real world scenarios, which can log an attacker’s intentions and paths, with the potential for collecting materials able to be admissible in a court of law.
3.0 Customer Expectations Measurable Engineering Characteristics based on customer expectations Accuracy of logging software Speed of packet-sniffing algorithm Size of logged information storage Speed & Accuracy of IDS (Intrusion Detection System) Reliability of logged information (Spoofing detection) Project Assumptions and Objectives
3.0 Customer Expectations Relationship of product specifications to customer’s wants and needs: Difficult to define since the customer in this case is allowing the product specifications to be their “wants and needs”. Specifics: Technical aspect of our product specification is the creation of a functioning honeypot. (high priority) The performance of our system should be similar to existing honeypot and honeynet systems, but different in that ours adds some innovative and unique designs (which our ad-hoc application should provide). (medium priority) The product being created, although not explicitly manufactured for future retail value, should be a finished product complete with bundled hardware and software. While this is not a “need” of the customer, it could potentially be a “want”. (low priority)
4.0 Analysis of Competitive Products To our knowledge, there are no products that are similar enough to ours to be considered competitors. our system is in its own class because of the features that will be implemented with it.
4.0 Analysis of Competitive Products However, we have looked at other products that have some of our product’s functionalities, such as: Symantec Mantrap monitor intrusions instantly look and act exactly like full-function servers Snort traffic analysis and packet logging on IP networks
5.0 Concept Selection and Description Slow down an attack Slow down an attack the honeypot will act as a diversion to provide time to take the appropriate measures and keep harmful traffic away from the production network Simulate a real network environment Simulate a real network environment create the illusion of a real network so outsiders are none the wiser Log incoming and outgoing data Log incoming and outgoing data determine vulnerabilities in our own network and prevent future attacks Do not interfere with production network Do not interfere with production network keep honeypot separate to avoid complications with production network in case the honeypot is compromised
5.0 Concept Selection and Description Setup Of A Honeypot :
6.0 Project Plan, Resources, Schedules Major Check Points and Deliverables Setup Network (10/4 - 10/11) Comprehensive Plan (10/ /2) Prototypes Plan (10/12 – 10/27) Modify Linksys BIOS (10/22 – 11/30) Configure dedicated machines for specific use (11/15 – 12/09) Project Plan Review (01/3 – 01/10) Prototype Results (01/3 – 01/10)
6.0 Project Plan, Resources, Schedules Major Check Points and Deliverables (con.) Stimulate Real World Attacks (01/5 – 02/16) Code integration and test/build (02/07 – 02/14) Modification to system (02/07 – 02/14) Final Packaging and Documentation (02/23 – 03/29)
6.0 Project Plan, Resources, Schedules Responsibilities for each member We are at the point that we feel it’s better to work as a team More specific tasks will be assigned later in the project to pairs of members as needed.
7.0 Business Case With industrial espionage and particularly, computer based industrial espionage on the rise, companies are all going many steps further to protect their information. The most commonly seen threat to a company’s computer network is something as simple as a virus or worm. While these scripts do cause slow downs in production and monetary loss, another threat that is not as often thought about is theft of intellectual property. The wireless honeypot appliance is part of a solution to curb the efforts of outsiders wanting to gain access to our corporate network, be it for malicious or theft reasons.
7.0 Business Case Assumptions: Internal use only – Not for sale Internal use only – Not for sale Still has (positive) financial impact by preventing unauthorized information from being “stolen” from Raytheon. Still has (positive) financial impact by preventing unauthorized information from being “stolen” from Raytheon.
Estimated Product Cost: $20, in R&D $20, in R&D Approximately $ to replicate Approximately $ to replicate All software either developed in-house or under the GPL license All software either developed in-house or under the GPL license
Support Costs: Low support costs Low support costs “Setup and Go” “Setup and Go” Costs may increase if threat is found as a matter of protection Costs may increase if threat is found as a matter of protection
Return on Investment As stated before, no actual dollar amount can be assigned to the value of this project, however the liability that Raytheon employees assume will be greatly decreased. As stated before, no actual dollar amount can be assigned to the value of this project, however the liability that Raytheon employees assume will be greatly decreased.
8. Issues list of areas in the design that are not too well understood list of areas in the design that are not too well understood parts, components, subsystem sourcing for prototypes parts, components, subsystem sourcing for prototypes prototype testing prototype testing
List of areas in the design that are not too well understood List of areas in the design that are not too well understood - Flashing the BIOS of the linksys router. - Flashing the BIOS of the linksys router. - General knowledge of hacking to simulate an attack on the honeypot - General knowledge of hacking to simulate an attack on the honeypot - Adding to the kernel of a linux operating system - Adding to the kernel of a linux operating system - Using IDS and logging tools to record information from attacks - Using IDS and logging tools to record information from attacks - An understanding of networking in general (packets, ports, protocols, etc) - An understanding of networking in general (packets, ports, protocols, etc) - Legal Issues regarding honeypots - Legal Issues regarding honeypots
Parts, Components, Subsystem sourcing for prototypes - Linkysys Wireless Router with Speedbooster WRT54GS (Speedbooster model provides double flash memory) - Linkysys Wireless Router with Speedbooster WRT54GS (Speedbooster model provides double flash memory) - 3 Computers - 3 Computers 1-Running Honeypot "Usermode Linux, Honeyd" 1-Running Honeypot "Usermode Linux, Honeyd" 2-Running Snort "Logs Activity from Router", 2-Running Snort "Logs Activity from Router", 3-Running System logger "Logs activity in honeypot“ 3-Running System logger "Logs activity in honeypot“ A wireless network to implement our honeypot system A wireless network to implement our honeypot system Other Computers to simulate attacks on the honeypot Other Computers to simulate attacks on the honeypot
Prototype testing Prototype testing Evolutionary Prototyping Evolutionary Prototyping Build a bicycle first, then build a car Build a bicycle first, then build a car Start with barebone honeypot system Start with barebone honeypot system Test Test Implement additions one by one from a list of prioritized features Implement additions one by one from a list of prioritized features Repeat until features or time run out Repeat until features or time run out