Embed Size (px)
Citation preview
Honeynet IntroductionHoneynet Introduction
Tang Chin HooiTang Chin Hooi
APAN SecretariatAPAN Secretariat
Objective of HoneynetObjective of Honeynet
To learn the tools, tactics, and motives To learn the tools, tactics, and motives of the blackhat community, and of the blackhat community, and
share the lessons learned.share the lessons learned.
The Honeynet ProjectsThe Honeynet Projects
Volunteer organization of security Volunteer organization of security professionals researching cyber professionals researching cyber threats.threats.
Deploy networks around the world to Deploy networks around the world to be hacked.be hacked.
Have captured information primarily Have captured information primarily on threats that focus on targets of on threats that focus on targets of opportunity.opportunity.
Research AllianceResearch AllianceActive Member Organizations:Active Member Organizations:
Florida Florida HoneyNetHoneyNet Project Project PaladionPaladion Networks Networks HoneynetHoneynet Project - India Project - India Internet Internet SystematicsSystematics Lab Lab HoneynetHoneynet Project - Greece Project - Greece Mexico Mexico HoneynetHoneynet Project Project NetForensicsNetForensics HoneynetHoneynet Azusa Pacific University Azusa Pacific University HoneynetHoneynet Brazilian Brazilian HoneynetHoneynet Project Project Irish Honeynet Project Irish Honeynet Project Honeynet Project at the University of Texas at Austin Honeynet Project at the University of Texas at Austin Norwegian Honeynet Project Norwegian Honeynet Project UK Honeynet Project UK Honeynet Project West Point Honeynet Project West Point Honeynet Project Pakistan Honeynet Project Pakistan Honeynet Project Italian Honeynet Project Italian Honeynet Project French Honeynet Project French Honeynet Project Ga Tech Honeynet Project Ga Tech Honeynet Project
GoalsGoals
Awareness:Awareness: To raise awareness of To raise awareness of the threats that exist.the threats that exist.
Information:Information: For those already aware, For those already aware, to teach and inform about the to teach and inform about the threats.threats.
Research:Research: To give organizations the To give organizations the capabilities to learn more on their capabilities to learn more on their own.own.
HoneypotsHoneypots
A honeypot is an information system A honeypot is an information system resource whose value lies in resource whose value lies in unauthorized or illicit use of that unauthorized or illicit use of that resource.resource.
Has no production value, anything Has no production value, anything going to or from a honeypot is likely going to or from a honeypot is likely a probe, attack or compromise.a probe, attack or compromise.
AdvantagesAdvantages
Collect small data sets of high value.Collect small data sets of high value. Reduce false positivesReduce false positives Catch new attacks, false negativesCatch new attacks, false negatives Work in encrypted or IPv6 Work in encrypted or IPv6
environmentsenvironments Simple concept requiring minimal Simple concept requiring minimal
resources.resources.
DisadvantagesDisadvantages
Limited field of view (microscope)Limited field of view (microscope) Risk (mainly high-interaction Risk (mainly high-interaction
honeypots)honeypots)
Examples of HoneypotsExamples of Honeypots
Low Interaction honeypots:Low Interaction honeypots:- HoneydHoneyd- KFSensorKFSensor- SpecterSpecter High Interaction honeypots:High Interaction honeypots:- Symantec Decoy Server (ManTrap)Symantec Decoy Server (ManTrap)- HoneynetsHoneynets
HoneynetHoneynet
An architecture, not a productAn architecture, not a product Type of honeypotType of honeypot High-interaction honeypot designed to High-interaction honeypot designed to
capture extensive information on threats capture extensive information on threats Provides real systems, applications, and Provides real systems, applications, and
services for attackers to interact with…services for attackers to interact with…
Architecture RequirementsArchitecture Requirements
Data Control Data Control Data CaptureData Capture
Data ControlData Control
Containment of activity. Containment of activity. Very Very important. important.
Minimize the risk.Minimize the risk. What we allow attacker to do? What we allow attacker to do?
1) The more we allow, the more we 1) The more we allow, the more we learn, the risk would rise. learn, the risk would rise.
2) Control without noticed.2) Control without noticed.
Data Control - MethodsData Control - Methods
Limit outbound connectionsLimit outbound connections
- Linux’s iptables, FreeBSD’s ipfw- Linux’s iptables, FreeBSD’s ipfw NIPS (drop/modify packets)NIPS (drop/modify packets)
- snort-inline- snort-inline Bandwidth restrictionsBandwidth restrictions
- FreeBSD’s Dummynet, Linux’s Advanced - FreeBSD’s Dummynet, Linux’s Advanced Routing and Traffic Control (tc), Cisco’s Routing and Traffic Control (tc), Cisco’s Committed Access Rate, Juniper’s Traffic Committed Access Rate, Juniper’s Traffic PolicingPolicing
Data CaptureData Capture
Monitoring and logging of Monitoring and logging of balckhat’s activities within balckhat’s activities within honeynethoneynet
Multiple layer/mechanisms Multiple layer/mechanisms
1) Few modification to honeypot1) Few modification to honeypot
2) Log and store on separate, secured 2) Log and store on separate, secured machine machine
Data Capture - MethodsData Capture - Methods
Multiple layers Multiple layers
1) Firewall logs – var/log/messages, etc1) Firewall logs – var/log/messages, etc
2) Network traffic – snort, addition to 2) Network traffic – snort, addition to snort-inline snort-inline
3) System Activity – Sebek2 (key 3) System Activity – Sebek2 (key loggers, file,log SSH,SSL,IPsec loggers, file,log SSH,SSL,IPsec communication..) communication..)
4) New tools… 4) New tools…
Example: GEN I HoneynetExample: GEN I Honeynet
Example: GEN II HoneynetExample: GEN II Honeynet
Virtual HoneynetVirtual Honeynet
Running multiple OS on a single Running multiple OS on a single computercomputer
Virtualization software (UML, Virtualization software (UML, VMware)VMware)
Type: Type:
1) Self Contained Virtual Honeynet1) Self Contained Virtual Honeynet
2) Hybrid Virtual Honeynet2) Hybrid Virtual Honeynet
Self Contained Virtual Self Contained Virtual HoneynetHoneynet
Hybrid Virtual HoneynetHybrid Virtual Honeynet
RisksRisks HarmHarm Risk of detectionRisk of detection Risk of disabling Honeynet Risk of disabling Honeynet
functionalityfunctionality ViolationViolation
Solutions: Solutions:
1) Human Monitoring 1) Human Monitoring
2) customization 2) customization
Legal IssuesLegal Issues Consult with local council before Consult with local council before
deploying it deploying it
ReferencesReferences
http://www.honeynet.org/http://www.honeynet.org/ http://www.tracking-hackers.com/papers/honeypots.htmlhttp://www.tracking-hackers.com/papers/honeypots.html http://www.citi.umich.edu/u/provos/honeyd/http://www.citi.umich.edu/u/provos/honeyd/
THE ENDTHE END
Thank You Thank You
