1. Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior Dec 21, 2009

2. 2 Content  Introduction  Defence-in-Depth Protection Strategy  Network Monitoring Methods  Honeypots  Honeypot Technologies  Existing Honeypot Soultions  Honeypot Deployment Challenges  Conclusion

3. Introduction  Number of attacks and number of new vulnerabilities are on the rise: increased financial/other incentives high prevalence of exploitable vulnerabilities availability of vulnerability information and attack tools Lack/long delay of patches from vendors 3

4. Introduction  Source of vulnerabilities can be attributed to many factors: the design of the protocols and services themselves the flawed implementation of these protocols and services  To counter this advance in threats: security managers need to implement multiple layers of security defence 4

5. Defence-in-Depth Protection Strategy  Awareness  Policy  Patching  Firewalls  Anti-virus  Encryption  Intrusion Detection Systems  Monitoring 5

6. Network Monitoring Methods  Two methods of monitoring network traffic for malicious activities are commonly used: live network monitoring such as firewalls, network intrusion detection systems, and NetFlow unsolicited traffic monitoring, such as darknets and honeypots. 6

7. Firewalls  Comprises software and hardware that protects one network from another network  Make decisions at layer 3 (IP address) and layer 4 (port) and might incorporate IPS functionality, layer 7  Can not see local traffic and are vulnerable to mis-configuration 7

8. Intrusion Detection System (IDS)  An IDS is a security system that monitors computer systems and network traffic for attacks and anomalous activity  Intrusion prevention system (IPS) is an access control device, like a firewall  IDSs are classified based on the information source into: network-based host-based 8

9. Intrusion Detection System (IDS)  IDSs can be classified further based on their detection methodologies into: Anomaly based IDSs, which measure any deviation from normality and raise alarms whenever the predefined threshold level is exceeded Signature based IDSs, which rely on a knowledge base of predefined patterns of attack or signatures 9

10. Anomaly detection  Mainly based on statistical techniques  The basic concept of the statistical technique, in detecting anomalies, is: to build a profile of normal behaviours measure large deviations from the profile test them against a predefined threshold value anomalous behaviours are flagged when these deviations exceed the threshold 10

11. Network-based IDSs (NIDS) detect attacks by analysing network packets do not interfere with the normal operation of a network easy to deploy and manage operating systems independent are not able to analyse encrypted traffic are not able to cope with high traffic in large or busy networks 11

12. Host-based IDSs (HIDS): are installed locally on host machines operate on information collected from within the host system being protected Are more accurate generate fewer false positives alarms handle encryption Are harder to manage Are operating system dependent affect the performance of the host system 12

13. Honeypots  First use of Honeypot concept: Cliff Stoll in his book “The Cuckoo's Egg” in 1986 Bill Cheswick in his paper “An Evening with Berferd: In Which a Cracker is Lured” in 1990  The term Honeypot was first introduced by Lance Spitzner in 1999  Honeypot definition: a honeypot as a security resource whose value lies in being probed, attacked, or compromised (Spitzner) a closely monitored computing resource that we want to be probed, attacked, or compromised (Provos) 13

14. Honeypot..  These definitions of a honeypot implies that: it can be of any computer resource type, such as a firewall, a web server, or even an entire site it runs no real production services any contact with it is considered potentially malicious traffic sent to or from a honeypot is considered either an attack or a result of the honeypot being compromised 14

15. Honeypots….  An example of a virtual honeypot setup that emulates two operating systems: Windows Server with open ports TCP: 80,445 UDP:37 Unix Server with open ports, TCP: 21, 25, 80 15

16. Honeypots….  Notable features of honeypots include: collect small volumes of higher value traffic are capable of observing previously unknown attacks detect and capture all attackers’ activities including encrypted traffic and commands, and require minimal resources 16

17. 17 Honeypots Technologies  Divided based on their level of interactions into: low, response only to connections medium, are connected to scripts to emulate basic protocol behaviors high, run real operating systems with real services  Divided based on their intended use into: production honeypots (Honeynets) research honeypots (Leurre.com)

18. Honeypots Technologies..  Divided based on their hardware deployment into: physical honeypots (Honeynets) virtual honeypots (Argos)  Divided based on their attack role into: server side honeypots ( Honeyd) client side honeypots (HoneyMonkey) 18

19. Some of the Existing Honeypot Solutions  Automatic generation of IDS signature: Honeycomb  Worm detection systems Honeystat SweetBait  Malware Collection: Nepenthes Honeytrap IBM Billy Goat 19

20. Honeypot Deployment Challenges  Approaches for analysing data collected from honeypots are presently immature  Current analysis techniques are manual and focus mainly on identifying existing attacks  Honeypots will introduce medium to high level risk to networks  Requires continuous monitoring 20

21. 21 Conclusion  Honeypots are essential tools for gathering useful information on a variety of malicious activities  Analysis of anomalous activities in honeypot traffic present a good research area  deploying honeypots would improve security of networks through: providing less and clean traffic data that are not mixed with real production traffic

22. Conclusion... provide an early alerts of newly and unseen attacks enable organizations to conduct forensics investigations of incidents without the need of stoping production networks  Our ongoing research focuses on utilizing honeypots in improving the security of web servers, which are the most attacked targets 22

23. 23 Thank You Questions?