Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03.

PublishAnissa Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03."— Presentation transcript:

1 Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03

2 Agenda The Honeynet Project The Honeynet Project The Enemy The Enemy Honeypot Basics Honeypot Basics Honeypots In Use Honeypots In Use Legal Implications Legal Implications

3 Honeynet Project Goals Awareness: To raise awareness of the different types of honeypots that exist Awareness: To raise awareness of the different types of honeypots that exist Information: To teach and inform about the application of honeypots Information: To teach and inform about the application of honeypots Research: To spur thought provoking discussion and help drive innovation and research in this emerging space Research: To spur thought provoking discussion and help drive innovation and research in this emerging space Learn and have fun!

4 The Threat is Real The blackhat community is extremely active The blackhat community is extremely active – 20+ unique scans a day (20/hour on UW network) – Fastest time honeypot manually compromised, 15 minutes: worm, 92 seconds – Default RH 6.2 life expectancy is 72 hours (fresh Windows 2000 install on UW network: 2 hours) – 100% - 900% increase of activity from 2000 to 2001 – Its only getting worse http://www.honeynet.org/papers/stats/ http://www.honeynet.org/papers/stats/

5 Tier I The best of the best Ability to find new vulnerabilities Ability to write exploit code and tools Tier II IT savvy Ability to program or script Understand what the vulnerability is and how it works Intelligent enough to use the exploit code and tools with precision Tier III “Script Kiddies” Inexpert Ability to download exploit code and tools Very little understanding of the actual vulnerability ➢ Randomly fire off scripts until something works Know Your Enemy

6 Rising Attack Sophistication Black hats have the initiative; attack whatever they want, whenever they want Black hats have the initiative; attack whatever they want, whenever they want Public knows very little about the black hats (Who are they? How do they attack? Why?) Public knows very little about the black hats (Who are they? How do they attack? Why?) Arms races, and the bad guys are always ahead Arms races, and the bad guys are always ahead

7 Methodology One of the most common tactics seen is attacking targets of opportunity One of the most common tactics seen is attacking targets of opportunity –“Drive by shootings on the information superhighway” Scanning as many systems as possible and going for the easy kill Scanning as many systems as possible and going for the easy kill If only 1% of systems are vulnerable, and you scan over 1 million hosts, you can potentially hack into 10,000 systems If only 1% of systems are vulnerable, and you scan over 1 million hosts, you can potentially hack into 10,000 systems

8 What are they looking for? #!/bin/sh echo " Caut carti de credit si incerc sa salvez in card.log" touch /dev/ida/.inet/card.log egrep -ir 'mastercard|visa' /home|egrep -v cache >>card.log egrep -ir 'mastercard|visa' /var|egrep -v cache >>card.log egrep -ir 'mastercard|visa' /root|egrep -v cache >>card.log if [ -d /www ]; then egrep -ir 'mastercard|visa' /www >>card.log fi

9 Evolution Firewalls Firewalls – Early 90’s – Must have – deployed before anything else Intrusion Detection System (IDS) Intrusion Detection System (IDS) – Mid to late 90’s – We can’t guard everything, so let’s watch the network for suspicious traffic Honeypots Honeypots – Early 2000 – Not only do we want to know when the black hats are attacking, but also answer the question, Why? – Let’s learn rather than just react

10 Concept of Honeypots A security resource who’s value lies in being probed, attacked or compromised A security resource who’s value lies in being probed, attacked or compromised Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise Used for monitoring, detecting and analyzing attacks Used for monitoring, detecting and analyzing attacks

11 The Role Of Honeypots In The Enterprise Augments Firewalls and IDS Augments Firewalls and IDS Research Research Incident Response / Forensics Incident Response / Forensics Deception / Deterrence Deception / Deterrence

12 Advantages ● Fidelity – Information of high value Reduced false positives Reduced false positives Reduced false negatives Reduced false negatives Simple concept Simple concept Not resource intensive Not resource intensive Return on Investment Return on Investment

13 Disadvantages ● Labor/skill intensive ● Risk ● Limited field of view ● Does not protect vulnerable systems

14 Today's honeypots Military, government organizations, security companies applying the technologies Military, government organizations, security companies applying the technologies Primarily to identify threats and learn more about them Primarily to identify threats and learn more about them Commercial application increasing everyday Commercial application increasing everyday

15 Utility – Identifying new exploits

16 Future Honeypots are now where firewalls were eight years ago Honeypots are now where firewalls were eight years ago Beginning of the “hype curve” Beginning of the “hype curve” Predict you will see five more commercial honeypots by the end of 2003 Predict you will see five more commercial honeypots by the end of 2003 Enhanced policy enforcement capabilities Enhanced policy enforcement capabilities Advance development in Open Source solutions Advance development in Open Source solutions Integrated firewall/IDS/honeypot appliances Integrated firewall/IDS/honeypot appliances

17 Gen II Honeynet

18 Virtual Honeynet

19 Live Demo

20 Top 10 attacked ports

21 Attacks logged

22 IRC traffic plugin output

23 Legal Issues Entrapment Entrapment Liability Liability Privacy Privacy

24 Entrapment Applies only to law enforcement Applies only to law enforcement Useful only as defense in criminal prosecution Useful only as defense in criminal prosecution Still, most legal authorities consider honeypots non-entrapment Still, most legal authorities consider honeypots non-entrapment

25 Liability Any organization may be liable if their honeypot is used to attack or damage third parties. Any organization may be liable if their honeypot is used to attack or damage third parties. –Civil issue, not criminal Example: T.J. Hooper v. Northern Barge Corp. (No weather radios) Example: T.J. Hooper v. Northern Barge Corp. (No weather radios) –Decided at state level, not federal This is why the Honeynet Project focuses so much attention on Data Control. This is why the Honeynet Project focuses so much attention on Data Control.

26 Privacy No single federal statute (USA) concerning privacy No single federal statute (USA) concerning privacy Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968) Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968) –Title I: Wiretap Act (18 USC 2510-22) –Title II: Stored Communications Act (18 USC 2701-11) –Title III: Pen/Trap Act (18 USC § 3121-27)

27 Questions? Email dittrich@u.washington.edu Email dittrich@u.washington.edu Slides available at: http://staff.washington.edu/dittrich/talks/NAAG.ppt Slides available at: http://staff.washington.edu/dittrich/talks/NAAG.ppt

Download ppt "Honeypots and Honeynets A New Response to Cybercrime Analysis NAAG Seattle 04/14/03."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introduction to Ethical Hacking, Ethics, and Legality.

Introduction to Ethical Hacking, Ethics, and Legality.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Ch.5 It Security, Crime, Compliance, and Continuity

Ch.5 It Security, Crime, Compliance, and Continuity
Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202) 353-7848.

Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202)
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.

Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Honeypots, Honeynets, Active Defence and Changes in Thinking about Cyber Crimes David Dittrich The Information School/C&C The University of Washington.

Honeypots, Honeynets, Active Defence and Changes in Thinking about Cyber Crimes David Dittrich The Information School/C&C The University of Washington.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

Similar presentations

Ads by Google