Honeypots and Honeypots and HoneynetsHoneynets

A New ResponseA New Responseto Cybercrimeto CybercrimeAnalysisAnalysis

NAAG Seattle 04/14/03NAAG Seattle 04/14/03

AgendaAgenda

• The Honeynet ProjectThe Honeynet Project

• The EnemyThe Enemy• Honeypot BasicsHoneypot Basics• Honeypots In UseHoneypots In Use• Legal ImplicationsLegal Implications

Honeynet Project GoalsHoneynet Project Goals

• Awareness:Awareness: To raise awareness of To raise awareness of the different types of honeypots that the different types of honeypots that existexist

• Information:Information: To teach and inform To teach and inform about the application of honeypotsabout the application of honeypots• Research:Research: To spur thought provoking To spur thought provoking

discussion and help drive innovation discussion and help drive innovation and research in this emerging spaceand research in this emerging space

Learn and have fun!Learn and have fun!

The Threat is RealThe Threat is Real

• The blackhat community is extremely activeThe blackhat community is extremely active– 20+ unique scans a day (20+ unique scans a day (20/hour on UW network20/hour on UW network))– Fastest time honeypot manually compromised, 15 Fastest time honeypot manually compromised, 15

minutes: worm, 92 secondsminutes: worm, 92 seconds– Default RH 6.2 life expectancy is 72 hours (Default RH 6.2 life expectancy is 72 hours (fresh fresh

Windows 2000 install on UW network: 2 hoursWindows 2000 install on UW network: 2 hours))– 100% - 900% increase of activity from 2000 to 2001100% - 900% increase of activity from 2000 to 2001– Its only getting worseIts only getting worse

http://www.honeynet.org/papers/stats/http://www.honeynet.org/papers/stats/

Tier I The best of the best Ability to find new vulnerabilities Ability to write exploit code and tools

Tier II IT savvy Ability to program or script Understand what the vulnerability is and how it works Intelligent enough to use the exploit code and tools with

precisionTier III

“Script Kiddies” Inexpert Ability to download exploit code and tools Very little understanding of the actual vulnerability

➢ Randomly fire off scripts until something works

Know Your EnemyKnow Your Enemy

Rising Attack SophisticationRising Attack Sophistication• Black hats have the Black hats have the

initiative; attack initiative; attack whatever they want, whatever they want, whenever they wantwhenever they want

• Public knows very Public knows very little about the black little about the black hats (Who are they? hats (Who are they? How do they attack? How do they attack? Why?)Why?)

• Arms races, and the Arms races, and the bad guys are always bad guys are always aheadahead

MethodologyMethodology

• One of the most common tactics seen is One of the most common tactics seen is attacking targets of opportunityattacking targets of opportunity– ““Drive by shootings on the information Drive by shootings on the information

superhighway”superhighway”

• Scanning as many systems as possible Scanning as many systems as possible and going for the easy killand going for the easy kill• If only 1% of systems are vulnerable, If only 1% of systems are vulnerable,

and you scan over 1 million hosts, you and you scan over 1 million hosts, you can potentially hack into 10,000 can potentially hack into 10,000 systemssystems

What are they looking for?What are they looking for?

#!/bin/shecho " Caut carti de credit si incerc sa salvez in card.log"touch /dev/ida/.inet/card.logegrep -ir 'mastercard|visa' /home|egrep -v cache >>card.logegrep -ir 'mastercard|visa' /var|egrep -v cache >>card.logegrep -ir 'mastercard|visa' /root|egrep -v cache >>card.logif [ -d /www ]; then egrep -ir 'mastercard|visa' /www >>card.logfi

EvolutionEvolution• FirewallsFirewalls

– Early 90’sEarly 90’s– Must have – deployed before anything elseMust have – deployed before anything else

• Intrusion Detection System (IDS)Intrusion Detection System (IDS)– Mid to late 90’sMid to late 90’s– We can’t guard everything, so let’s watch the We can’t guard everything, so let’s watch the

network for suspicious trafficnetwork for suspicious traffic• HoneypotsHoneypots

– Early 2000Early 2000– Not only do we want to know when the black Not only do we want to know when the black

hats are attacking, but also answer the hats are attacking, but also answer the question, Why?question, Why?

– Let’s learn rather than just reactLet’s learn rather than just react

Concept of HoneypotsConcept of Honeypots

• A security resource who’s value lies A security resource who’s value lies in being probed, attacked or in being probed, attacked or compromisedcompromised

• Has no production value; anything Has no production value; anything going to/from a honeypot is likely a going to/from a honeypot is likely a probe, attack or compromiseprobe, attack or compromise• Used for monitoring, detecting and Used for monitoring, detecting and

analyzing attacksanalyzing attacks

The Role Of Honeypots In The Role Of Honeypots In The EnterpriseThe Enterprise

• Augments Firewalls and IDSAugments Firewalls and IDS

• ResearchResearch• Incident Response / ForensicsIncident Response / Forensics• Deception / DeterrenceDeception / Deterrence

AdvantagesAdvantages

● Fidelity – Information of high valueFidelity – Information of high value

• Reduced false positivesReduced false positives• Reduced false negativesReduced false negatives• Simple conceptSimple concept• Not resource intensiveNot resource intensive• Return on InvestmentReturn on Investment

DisadvantagesDisadvantages

● Labor/skill intensiveLabor/skill intensive● RiskRisk● Limited field of viewLimited field of view● Does not protect vulnerable systemsDoes not protect vulnerable systems

Today's honeypotsToday's honeypots

• Military, government organizations, Military, government organizations, security companies applying the security companies applying the technologiestechnologies

• Primarily to identify threats and learn Primarily to identify threats and learn more about themmore about them• Commercial application increasing Commercial application increasing

everydayeveryday

Utility – Identifying new Utility – Identifying new exploitsexploits

FutureFuture

• Honeypots are now where firewalls were eight Honeypots are now where firewalls were eight years agoyears ago

• Beginning of the “hype curve”Beginning of the “hype curve”• Predict you will see five more commercial Predict you will see five more commercial

honeypots by the end of 2003honeypots by the end of 2003• Enhanced policy enforcement capabilitiesEnhanced policy enforcement capabilities• Advance development in Open Source Advance development in Open Source

solutionssolutions• Integrated firewall/IDS/honeypot appliancesIntegrated firewall/IDS/honeypot appliances

Gen IIGen IIHoneynetHoneynet

Virtual HoneynetVirtual Honeynet

Live DemoLive Demo

Top 10 attacked portsTop 10 attacked ports

Attacks loggedAttacks logged

IRC traffic plugin outputIRC traffic plugin output

Legal IssuesLegal Issues

• EntrapmentEntrapment

• LiabilityLiability• PrivacyPrivacy

EntrapmentEntrapment

• Applies only to law enforcementApplies only to law enforcement

• Useful only as defense in criminal Useful only as defense in criminal prosecutionprosecution• Still, most legal authorities consider Still, most legal authorities consider

honeypots non-entrapmenthoneypots non-entrapment

LiabilityLiability

• Any organization may be liable if their Any organization may be liable if their honeypot is used to attack or damage honeypot is used to attack or damage third parties.third parties.– Civil issue, not criminalCivil issue, not criminal• Example: T.J. Hooper v. Northern Barge Corp. Example: T.J. Hooper v. Northern Barge Corp.

(No weather radios)(No weather radios)

– Decided at state level, not federalDecided at state level, not federal

• This is why the Honeynet Project focuses This is why the Honeynet Project focuses so much attention on Data Control.so much attention on Data Control.

PrivacyPrivacy

• No single federal statute (USA) No single federal statute (USA) concerning privacyconcerning privacy

• Electronic Communications Privacy Act Electronic Communications Privacy Act (amends Title III of the Omnibus Crime (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968)Control and Safe Streets Act of 1968)– Title I: Wiretap Act (18 USC 2510-22)Title I: Wiretap Act (18 USC 2510-22)– Title II: Stored Communications Act (18 Title II: Stored Communications Act (18

USC 2701-11) USC 2701-11) – Title III: Pen/Trap Act (18 USC § 3121-27)Title III: Pen/Trap Act (18 USC § 3121-27)

Questions?Questions?

• EmailEmaildittrich@u.washington.edudittrich@u.washington.edu

• Slides available at:Slides available at:http://staff.washington.edu/dittrich/talks/NAAG.http://staff.washington.edu/dittrich/talks/NAAG.pptppt