Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab

Published byElla Lester Modified over 9 years ago

Similar presentations

Presentation on theme: "Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab"— Presentation transcript:

1 Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab Greg@iu.edu

2 Quick Overview of Honeypot Technology Honeypots Honeynets IDS’

3 Technology Description –Honeywall Walleye Hflow Argus P0F Snort –Sebek

4 Honeywall Schematic

5 Deployment

6 Problems Randomly throwing out Honeypots doesn’t necessarily help –If you throw them were hackers won’t go, they do no good Have to be placed on strategic assets (I.e. database servers) In real world, you don’t always know what the bad guys will go after.

7 Problems Time management –Do you have the time to run all of them?

8 Solutions Use Honeypots reactively in operational use –I.e. don’t use them as first-line IDS’

9 Reactive use examples “POP’d” box –Turn a production system into a honeypot reactively Find out what attracted the hacker and build new boxes that meet that profile to attract the bad guys –This is the “Honey” in Honeypot

10 How-To How do we actually do the “POP’d” box scenario? Steps –Deploy Honeywall upstream of compromised host –Instrument the actual compromised host with Sebek –Done! Get a beer!

11 Honeywall Deployment Acquire Hardware –3 NICs –512+MB RAM –Fast CPUs better (~2+Ghz) Download ISO from Honeynet website –www.honeynet.org/tools/cdromwww.honeynet.org/tools/cdrom Install Configure

12 Instrumenting with Sebek Why do you want to do this? –Circumvent session encryption used by intruder (I.e. ssh) –Identify causal relationships between network flows on the host Process tree depiction

13 Process Tree (Walleye)

14 How do I install Sebek? Determine type of target host first –I.e. Linux/Windows/FreeBSD/etc. Download, compile, and configure on a separate box that matches the specifications of the target –Don’t want to tip off the intruder to what you’re doing –www.honeynet.org/tools/sebekwww.honeynet.org/tools/sebek This creates a binary “tarball” –Get that onto the target in a stealthy mode Turn off shell history, etc.

15 Sebek install cont… Run installer –sbk_install.sh (Linux example) At this point, Sebek data will be flowing to your Honeywall

16 Now what? What kind of knowledge can you gain? –Watch keystrokes –Watch network activity –Identify correlations between keystrokes and network activity –You get to watch the entire intrusion sequence as it happens

17 Great!…I think? It is! One of the first questions you’ll want answered is: –Is this an automated attack or is there a live human on the end? Keystroke logs will tell you this from, for example, if there are mistakes made

18 Ok…what else? Is this a lone wolf or am I looking at a conspiracy? Generally speaking, human behavior is consistent -- especially under stress –Look at the way that people run commands Do they run “ps aux” or “ps -elf”? What are the religious preferences? –Pico or Vi? Behaviometrics

19 And ahhh? Determining the type and nature of the attacker is crucial to your job First step is to determine if you’re being “nuisance attacked” or if this is a specific attack targeted at you and some asset that you hold uniquely –Incident scope –Clues about what might be next on their agenda

20 Example Real attack Password harvesting You’re watching someone actively harvesting passwords from your system Why might they be doing that? Do you have other systems, other assets, where those same passwords might be valuable?

21 Example… You want to trace “upstream” where those passwords are going You want to share that data with others outside your administrative domain –Are they seeing the same type of activity with the same type of behaviometric footprints? –Work with them to follow it all upstream

22 What to do when the stream disappears underground Typically you will lose the ability to directly trace back rather rapidly –Everyone knows about using stepping stones –Traces will cross international/administrative boundaries –There will be areas totally opaque to you –You will “lose the scent”

23 Losing the scent

24 International Issues Language Barriers Motivation Barriers Legal Barriers –All of this means that any circuit that crosses a national border is untraceable with normal technology

25 Using Sebek We can use Sebek to identify similar behavior –Right now this is a fairly manual exercise –We are working on technology that will automatically correlate intrusion sequences

26 Using Sebek to pick up the scent

27 Conclusion Need to determine when the technology can be of value –No fire and forget Need to deploy technology in a productive manner –No shotgun Need to understand that it won’t fix everything –No magic bullet

28 In a perfect world Every OS would have a Sebek component –Detection arms race is irrelevant when it’s ubiquitous That component would be secure We could automatically dial the right level of detail It wouldn’t cause a performance hit

Download ppt "Honeynets in operational use Gregory Travis Indiana University, Advanced Network Management Lab"

Similar presentations

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.

Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.

Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.

Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.
Manuka project IEEE IA Workshop June 10, 2004. Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.

Manuka project IEEE IA Workshop June 10, Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Incident Response and Forensic Course Disk Image Cataloging Project Concepts and Deliverables.

Incident Response and Forensic Course Disk Image Cataloging Project Concepts and Deliverables.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google