Presentation is loading. Please wait.

Presentation is loading. Please wait.

O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details.

Published byGavin Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details."— Presentation transcript:

1 O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details. We will have fun because we will take seriously

2 O honeynet Project Lognitive.com O honeynet Project Lognitive.com Build a Security Intelligence Center (SiC) Know your enemy tactics and motives Ahmed A. Selim Information Security Consultant

3 O honeynet Project Lognitive.com Bottom Line How to boost your SoC activity efficiency by introducing a set of intelligence techniques That’s All

4 O honeynet Project Lognitive.com Overview Offensive Defensive Sword Shield Analyst Attacker Proactive Reactive

5 O honeynet Project Lognitive.com Good must win!

6 O honeynet Project Lognitive.com May the force be with you What we really need….. We need a move SoC SiC Security operation Center Security intelligence Center

7 O honeynet Project Lognitive.com The Answer ? Be bad - Poison the Honey

8 O honeynet Project Lognitive.com Honeypots “ Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource ” KYE- Know Your Enemy “Honeypot a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.” Wiki “Honeypot is system that through lot of log, that need us to analyze for predicting attacker action, analyze malware or preforming attack …!” The speaker

9 O honeynet Project Lognitive.com Types of Honeypots Low-interaction – Emulates services, applications, and OS’s – Low risk and easy to deploy/maintain – But capture limited information – attackers’ activities are contained to what the emulated systems allow High-interaction – Real services, applications, and OS’s – Capture extensive information, but high risk and time intensive to maintain – Can capture new, unknown, or unexpected behavior

10 O honeynet Project Lognitive.com Uses of Honeypots Preventing attacks – Automated attacks – (e.g. worms) “Sticky honeypots” monitor unused IP spaces, and slows down the attacker when probed – Human attacks Confuse the attackers, making them waste their time and resources Detecting attacks – Traditional IDSs generate too much logs, large percentage of false positives and false negatives – Traditional IDSs may be ineffective in IPv6 or encrypted environment – Honeypots generate small data, reduce both false positives and false negatives

11 O honeynet Project Lognitive.com Uses of Honeypots Responding to attacks – Responding to a failure/attack requires in-depth information about the attacker – If a production system is hacked (e.g. mail server) it can’t be brought offline to analyze – Honeypots can be easily brought offline for analysis, while production not. Research purposes – Research honeypots collect information on threats. Attacking purposes – Simulating legal service for legal users

12 O honeynet Project Lognitive.com Data Control Mitigate risk of honeynet being used to harm non-honeynet systems Tradeoff need to provide freedom to attacker to learn about him More freedom – greater risk that the system will be compromised Some controlling mechanisms Restrict outbound connections (e.g. limit to 1) IDS (Snort-Inline) Bandwidth Throttling

13 O honeynet Project Lognitive.com No Data Control Data Control

14 O honeynet Project Lognitive.com Honeypot Theory Control & Capture

15 O honeynet Project Lognitive.com Data Capture Capture all activity at a variety of levels. – Network activity. – Application activity. – System activity. Issues – No captured data should be stored locally on the honeypot – No data pollution should contaminate – Admin should be able to remotely view honeynet activity in real time – Must use unified time zone

16 O honeynet Project Lognitive.com Data Control Mitigate risk of honeynet being used to harm non-honeynet systems Tradeoff need to provide freedom to attacker to learn about him More freedom – greater risk that the system will be compromised Some controlling mechanisms Restrict outbound connections (e.g. limit to 1) IDS (Snort-Inline) Bandwidth Throttling

17 O honeynet Project Lognitive.com How It Works A highly controlled network – where every packet entering or leaving is monitored, captured, and analyzed. Should satisfy two critical requirements: – Data Control: defines how activity is contained within the honeynet, without an attacker knowing it – Data Capture: logging all of the attacker’s activity without the attacker knowing it Data control has priority over data capture

18 O honeynet Project Lognitive.com Types of Deployments Gen-I (1999): – served as a proof of concept and were very simple to deploy. – basic mechanisms for fulfilling data control and capture requirements. – Data Control through reveres firewall – Data Collection through IDS

19 O honeynet Project Lognitive.com Types of Deployments Gen-II (2002): – improved a lot of honeypot features where it provide a high level of interaction with a malicious user – Data Control replace reveres firewall with honeywall – Data Collection using different techniques

20 O honeynet Project Lognitive.com Do The Right!

21 O honeynet Project Lognitive.com Control, Capture, Analysis & Act Control – Honeywall/IPTables Capture – User-Mode Linux – UML – Honeyd Analysis – PicViz – Hflaw2 Act – Honey snap – Honeysink – Nebula/Honeycomb

22 O honeynet Project Lognitive.com Capture: User-Mode Linux - UML Opensource virtualization solution Limited to Linux only Sandbox Self contained virtual honeypot Can be used with image of existing Filesystem Need tool to capture traffic (ex: Snort,system logs)

23 O honeynet Project Lognitive.com Capture: User-Mode Linux - UML Booting Halting

24 O honeynet Project Lognitive.com Capture: Honeyd Opensoure low-interactive honeypot. One of the active projects. Simulate wide range of systems & service: – Read Nmap os figureprint format /usr/share/nmap/nmap-os-db  /usr/share/honeyd/nmap.print – Emulate multi-vendor service: /usr/share/honeyd/scripts/ Let’s Configure….

25 O honeynet Project Lognitive.com Capture: generator.sh Generator.sh, is part of Ohoneynet project. Simple tool to create a low-interagtion Honeynet (upto 254 node) in seconds. Distributed under opensource license

26 O honeynet Project Lognitive.com Analysis

27 O honeynet Project Lognitive.com Logs…Logs…Logs Info Sec = logs  Need a way to visualize logs instead of analyzing raw logs Logs dimensions…? Answer Parallel Coordinate

28 O honeynet Project Lognitive.com Analysis: PicViz The simplest visualization method No need for excessive data processing Only need to know PGDL (PicViz Graphic Description Language) sudo pcv -Tpngcairo apache.log -r -a -o apache.png Lets Check it.....

29 O honeynet Project Lognitive.com The web server is being used all the time, no difference between daytime and nighttime Only two protocols are being used (that are HTTP/1.1 and HTTP/1.0) Six request types were used. While GET is the main one, there are other interesting requests that we could investigate One request type (actually GET) covers fully the URL axis while other request types seems to cover only a subset.

30 O honeynet Project Lognitive.com Act: Honeycomb Automated IDS signature generator Plugin integrates with Honeyd Signatures are generated /tmp/honeycomb.log Lets generate.....

31 O honeynet Project Lognitive.com Raping Up SoC is good idea but we need intelligence for fast response Being a good guy doesn’t mean you don’t think badly Honeypot is a good technique but need good care

32 O honeynet Project Lognitive.com Ohoneynet Project sponsored by Lognitive.com Create a honeypot framework Framework: offer Control, Capture & analysis Finally with User friendly GUI

33 O honeynet Project Lognitive.com Ahmed A. Selim ahmed.s3lim@gmail.com Ohoneynet Project Lognitive.net

Download ppt "O honeynet Project Lognitive.com Disclaimer This is a technical session that contain non- technical content. Get relaxed so to get ready for some details."

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Honeypots Presented by Javier Garcia April 21, 2010.

Honeypots Presented by Javier Garcia April 21, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Dec, 20081 Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.

Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.

Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.
1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.

1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google