Embed Size (px)
Citation preview
1
The Honeynet Project: Trapping the HackersThe Honeynet Project: Trapping the Hackers
Lance Spitzner, Sun MicrosystemsLance Spitzner, Sun Microsystems
Presented by Vikrant Karan
2
OutlineOutline
The Honeynet Project Honeypots: Not just for bears anymore Different kinds of honeynets What the honeynet collects The legal ramifications of operating a honeypot Conclusion
3
The Honeynet ProjectThe Honeynet Project
Few questions in front of security professionals:– What specific threats do computer
networks face from hackers? – Who's perpetrating these threats and
how?
4
The Honeynet ProjectThe Honeynet Project
The Honeynet Project is an organization dedicated to answering these questions. It studies the bad guys and shares the lessons learned. The group gathers information by deploying networks (called honeynets) that are designed to be compromised.
5
The Honeynet ProjectThe Honeynet Project
a security-research organization dedicated to learning the black-hat community's tools, tactics, and motives and then sharing any lessons
learned. The organization comprises international security professionals who
volunteer their time and resources to deploy networks (or honeynets)
that are designed to be attacked. The team then analyzes the information collected from these attacks.
6
The Honeynet ProjectThe Honeynet Project
began in 1999 as an informal mailing list of a small group of individuals
Official declaration in June 2000 board of directors, including Bruce Schneier, George
Kurtz, Elias Levy, and Jennifer Granick. Honeynet Research Alliance's include organizations
in Brazil, Greece, India, Mexico, Ireland, and the
United States.
7
Four phases of honeynet projectFour phases of honeynet project
Phase 1:– began in 1999 and lasted two years– Gen 1 of first generation honeynet acted as
proof of concept.– Successfully captured automated attacks
such as autorooters and worms.
8
Four phases of honeynet projectFour phases of honeynet project
Phase 2:– began in 2002 and will continue for two years.– GenII honeynets, will feature more advanced
methods to monitor and control attacker's activities.
– Published 3 papers and deployed the first wireless honeynet in 2002 in Washington, DC
– More improved and easy to deploy solutions.
9
Four phases of honeynet projectFour phases of honeynet project
Phase 3:– begins in 2003 and should last
approximately one year– Apply Gen2 technology into bootable CD-
ROM.– Organizations only need to boot the CD-
ROM to get honeynet functionality.– It allows to log all captured activities in a
centralized data base.
10
Four phases of honeynet projectFour phases of honeynet project
Phase 4:– Will begin in 2004.– to develop a centralized data collection system that
correlates data from multiple distributed honeynets and user interfaces to analyze them.
– Two interfaces selected: Locally on each honeynet to analyze data. To analyze data collected from multiple honeynet and
store all these data in a single data base.
11
Honeypots: Not just for bears anymoreHoneypots: Not just for bears anymore
A security resource whose value lies in being probed attacked, or compromised.
if any packet or any interaction is attempted with your honeypot, it's most likely a probe, scan or attack
Honeypots get little traffic, but what they do get is of high value. Disadvantages:
– limited view field: they only capture activity directed towards them, thus missing some of the attacks directed towards servers.
– It may be used to attack other systems.
12
Categories of honeypotsCategories of honeypots
Production honeypots: – protect the organization– directly increase resource security– organizations can prevent, detect, or respond to attacks.
Research honeypots:– gathers information on attackers.– Distributed research honeypots can gather information on a
global scale
production honeypots is easier to deploy but capture less information on attackers.
13
Data capture and data control systemData capture and data control system
Data capture ensures that you can detect and capture all the attacker's activities, even if they are obfuscated or encrypted.
Data control's purpose is to reduce risk it ensures that once an attacker breaks into your honeynet's systems, those compromised systems cannot be used to attack or harm other systems.
14
Different kinds of honeynetsDifferent kinds of honeynets
A honeynet is essentially a research honeypot; its purpose is to collect information on attackers.
it uses real systems and applications.
Gen 1 honeynet
15
Gen 1 honeynetGen 1 honeynet
16
Gen 1 honeynet (contd)Gen 1 honeynet (contd)
Honeynet is a contained environment in which you can watch everything happening.
Positioned in this environment are the target systems (highlighted in yellow).
counts the number of outbound connections. systems initiate a certain number of outbound connections and
then block any further links once the limit is met. Useful for blocking denial of service attacks scans, or other
malicious activity But, gives attacker more room to attack.
17
Gen 2 honeynetGen 2 honeynet
18
Gen 2 honeynet(contd..)Gen 2 honeynet(contd..)
This forces all traffic going to and from the honeynet systems to first flow through an "invisible" layer-two bridge
This bridge lets the bad guys come in, but it controls what they can do on their way out.
layer-two bridging device (called the honeynet sensor in the
figure) isolates and contains systems in the honeynet. allows outbound activity but removing the ability to harm. a second layer of data control: an IPS (or intrusion prevention
system) gateway
19
Snort inlineSnort inline
an open-source IDS technologyInstead of blocking detected outbound
attacks, we modify and disable them One risk is the chance that the IDS
gateway will not detect a new or obfuscated attack
20
Snort inline exampleSnort inline example
21
Snort inline (contd..)Snort inline (contd..)
Snort-Inline signature used to modify and disable a known DNS attack using the replace option.
Highlighted in bold is the command used to modify and disable the attack.
22
Data capture elementsData capture elements
Layer 1: The IDS gateway that identifies and blocks attacks passively sniffs every packet and its full payload on the network.
Layer2: the firewall log: packet-filtering mechanism to block outbound connections once a connection limit is met.
layer 3: is for capturing the attacker's keystrokes and activity on the system.
23
Data capture elementsData capture elements
Honeynet Project has developed kernel modules to insert in target systems.
These capture all the attacker's activities, such as encrypted keystrokes or scp.
The IDS gateway captures all the data and dump the data generated by the attackers without letting attacker know.
multiple layers of data capture help ensure that we gain a clear perspective of the attacker's activities.
24
ExamplesExamples
Honeynet Project has actively deployed different types of operating systems in its honeynets– Solaris-, OpenBSD-, Linux-, and Window-based honeypots.
Windows: worms or simple automated attacks, such as scans for open shares or pop-up
Linux systems: commonly known vulnerabilities and automated attack tools, such as TESO's wu-ftpd massrooter.
Solaris and Open BSD: more advanced or interesting attacks, such as the use of IPv6 tunneling
25
What the honeynet collectsWhat the honeynet collects
Data captured in Jan 2002: Captured IP protocol 11 packet sent to the hacked honeypot. The command is encoded to obfuscate its purpose
26
Captured dataCaptured data
27
Decoded PacketDecoded Packet
28
Figure explanationFigure explanation
an example of how commands were remotely sent to the hacked system.
actual command being executed on the remote system.
attacker is telling our hacked honeypot to download a tool from another hacked site, run the tool, and then delete the downloaded binary.
In this case, the tool was used to proxy IRC sessions.
29
The legal ramifications of operating a The legal ramifications of operating a honeypothoneypot
Three legal issues need to be considered:– take into account the laws that restrict your
right to monitor user activities on your system
– recognize and address the risk that attackers will misuse your honeypot to harm others.
– defendant could argue that your undercover server entrapped him or her
30
Monitoring usersMonitoring users
Monitoring can be made improper by statutes (state and federal), privacy or employment policies, terms-of-service agreements,
Honeypots monitors the user traffic, therefore it should be designed carefully.
31
Limitations in Limitations in US Constitution and federal US Constitution and federal statutesstatutes
Fourth Amendment: It can restrict monitoring and evidence obtained from monitoring in violation of the Constitution can be suppressed at trial
Wiretap Act: It forbids anyone from intercepting communications unless one of the exceptions listed in the act applies.
Patriot Act: expressly authorizes warrantless monitoring of hackers by the government in certain situations.
32
Limitations in Limitations in US Constitution and federal US Constitution and federal statutes(contd..)statutes(contd..)
Harming others: Pay attention to your honeypot to reduce the risk that it will be used for illegal purposes.
Entrapment: This issue has been overstated by the critique.
33
ConclusionConclusion
Honeynet technology collect valuable information which can avoid security risks.
honeynets' real potential will not be realized until organizations can effectively deploy multiple honeynets and correlate the information they collect
bootable CD ROM, which will make honeynets much easier to deploy and standardize the information they collect.
