1. HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell

2. Introduction  What is a honeypot?  “An information system resource whose value lies in unauthorized or illicit use of that resource” (Spitzner 2003)  Types of honeypots  Production vs. Research Production – captures limited information, for mitigating risk, used in a corporate setting Research – captures lots of information, learn about threats, develop better protection  Prevention, detection, reaction Prevention – keeping a threat out Detection – sensing attacks, alerting admins Reaction – responding to a threat  Low-interaction, medium-interaction, high- interaction More detail later on  Implementations  Honeynets/honeyfarms Network of real computers, high risk, high information gain  Spamtraps Honeypot used to collect spam Usually e-mail addresses that prevent legitimate use to ensure all use is illegitimate Usenet newsgroups lure cross-posted spam  Virtualisation VMware honeyd  Fake APs  Fake web servers  Network services Emulate telnet, FTP, SMTP, POP3, HTTP  Multipurpose solutions Mantrap, Deception Toolkit, HOACD

3. Advantages/Disadvantages  Advantages  Data collection Only captures relevant data Small data sets High value  Minimise resource usage Less bandwidth or activity than other security implementations  Simplicity Less complex than other security mechanisms such as Intrusion Detection Systems Less chance of misconfiguration  Cost No need for high resource usage Depends on the application  Disadvantages  Single point of attack Useless if it is not attacked  Risk Have a risk of being exploited – depends on the type of honeypot More detail later on  Limited view Limited data – only captures what interacts with it and not the whole scope of the system  Cost Deployment costs, analysis costs Depends on the application

4. Security & Risks  3 Types of Honeypots Classified by Risk  Low-Interaction Emulated Services – No requests, only Connections  Medium-Interaction Emulated Services – Requests with Faked Responses  High-Interaction Software/Operating System Services – Direct access to data  Emulated Software and OS needs to be up-to-date, hardened Possible Exploitation  Access to OS Buffer Overruns, etc.  Always Monitor Honeypot  Can use IDS/Firewall between Hacker and Honeypot  Log Requests, Connections, Patterns  Lack of monitoring  What happens?  Virtualisation (VMWare, etc.)  Can help if resources limited  Leaves host intact, runs new OS on top running OS  Virtualisation software exploitable  Access to host OS  Secure Honeypot By:  Physical disconnection  DMZs and ACLs (Logical) Predict hacker entry point Put honeypot in same zone ACL to control access between DMZ and sensitive network ACL to filter honeypot traffic  Honeypot Compromised?  Identity found – send bogus data Emulated software not accurate  Exploit emulation/software/OS Disable Honeypot Remove Gathered Data Spam Relay, DoS, Attack Hosts

5. Legal Issues & Evidence  Types of Evidence  Content Keystrokes, Actions, Requests, Credentials  Transactional Time, Duration, Protocol, Service, Source, Destination  Entrapment  May exclude evidence  May not be relevant Only applies if public law enforcement involved  Privacy  Laws against tracking real-time data  Law depends on location of honeypot and hacker  Production Honeypots – exempt by Service Provider Protection Law, maybe  Research Honeypots – depends if Transactional or Content data Content data more sensitive Prompt user that all activity is logged? No certain decision yet (2003)  Integrity of Evidence  Identity of Honeypot Compromised  Bogus Data & Patterns  Not all data sent to honeypot is malicious  Routine Network Broadcasts  Limited View on Network  May not be relevant to legitimate hosts  Always log! Checksums, Timestamps  Chain of Custody Documentation Preparation, Activities, Shutting Down, Copying, Analysis  Liability  If compromised, ensure honeypot not used to attack other hosts or organisations  Hacker liable? Administrator liable?  Yet to have certain decision (2003)  Cannot re-attack hacker, classed as DoS!

6. Recommendation  VMware - Research  High-Interaction Easy preservation of memory contents Easy duplication of disk contents System easily restored May be less likely to stand up in court Ensure host system is appropriately secured Use host integrity checks to verify host security  Honeyd - Production  Medium-Interaction Mimics any service Mimics multiple operating systems Not a full operating system so reduces some honeypot risks