Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeypots and Honeynets

Published byRosamund Osborne Modified over 6 years ago

Similar presentations

Presentation on theme: "Honeypots and Honeynets"— Presentation transcript:

1 Honeypots and Honeynets
Source: The HoneyNet Project Mehedy Masud September 16, 2009

2 Why HoneyPots A great deal of the security profession and the IT world depend on honeypots. Honeypots Build anti-virus signatures. Build SPAM signatures and filters. ISP’s identify compromised systems. Assist law-enforcement to track criminals. Hunt and shutdown botnets. Malware collection and analysis.

3 What are Honeypots Honeypots are real or emulated vulnerable systems ready to be attacked. Primary value of honeypots is to collect information. This information is used to better identify, understand and protect against threats. Honeypots add little direct value to protecting your network.

4 Types of HoneyPot Server: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with servers Other: Proxies

5 Types of HoneyPot Low-interaction High-interaction
Emulates services, applications, and OS’s. Low risk and easy to deploy/maintain, but capture limited information. High-interaction Real services, applications, and OS’s Capture extensive information, but high risk and time intensive to maintain.

6 Types of HoneyPot Production Research Easy to use/deploy
Capture limited information Mainly used by companies/corporations Placed inside production network w/other servers Usually low interaction Research Complex to maintain/deploy Capture extensive information Primarily used for research, military, or govt. orgs

7 Examples Of Honeypots Low Interaction High Interaction
BackOfficer Friendly KFSensor Honeyd Honeynets Low Interaction High Interaction

8 Honeynets High-interaction honeypot designed to capture in-depth information. Information has different value to different organizations. Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is suspect.

9 How It Works A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. Data Control Data Capture Data Analysis

10 Honeynet Architecture

11 Data Control Mitigate risk of honeynet being used to harm non-honeynet systems. Count outbound connections. IPS (Snort-Inline) Bandwidth Throttling

12 No Data Control

13 Data Control

14 Data Capture Capture all activity at a variety of levels.
Network activity. Application activity. System activity.

15 Sebek Hidden kernel module that captures all host activity
Dumps activity to the network. Attacker cannot sniff any traffic based on magic number and dst port.

16 Sebek Architecture

17 Honeywall CDROM Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM. May, Released Eeyore May, Released Roo

18 Roo Honeywall CDROM Based on Fedora Core 3
Vastly improved hardware and international support. Automated, headless installation New Walleye interface for web based administration and data analysis. Automated system updating.

19 Installation Just insert CDROM and boot, it installs to local hard drive. After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards. Following installation, you get a command prompt and system is ready to configure.

20 Further Information http://www.honeynet.org/

21 Network Telescope Also known as a darknet, internet motion sensor or black hole Allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network. Since all traffic to these addresses is suspicious, one can gain information about possible network attacks random scanning worms, and DDoS backscatter As well as other misconfigurations by observing it.

22 Honeytoken honeytokens are honeypots that are not computer systems.
Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious.

23 Honeytoken In general, they don't necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity. An example of a honeytoken is a fake address used to track if a mailing list has been stolen

24 Honeymonkey HoneyMonkey,
short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot. The implementation uses a network of computers to crawl the World Wide Web searching for websites that use browser exploits to install malware on the HoneyMonkey computer. A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site. After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot. The changes are analyzed to determine whether the visited site installed malware onto the honeypot computer.

25 Honeymonkey HoneyMonkey is based on the honeypot concept, with the difference that it actively seeks websites that try to exploit it. The term was coined by Microsoft Research in With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.

26 Tarpit A tarpit (also known as Teergrube, the German word for tarpit) is a service on a computer system (usually a server) that delays incoming connections for as long as possible. The technique was developed as a defense against a computer worm, and the idea is that network abuses such as spamming or broad scanning are less effective if they take too long. The name is analogous with a tar pit, in which animals can get bogged down and slowly sink under the surface.

Download ppt "Honeypots and Honeynets"

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project

Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.

Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Final Introduction ---- Web Security, DDoS, others

Final Introduction ---- Web Security, DDoS, others
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Similar presentations

Ads by Google