Upload
anissa-cross
View
219
Download
0
Embed Size (px)
Citation preview
Honeypots and Honeypots and HoneynetsHoneynets
A New ResponseA New Responseto Cybercrimeto CybercrimeAnalysisAnalysis
NAAG Seattle 04/14/03NAAG Seattle 04/14/03
AgendaAgenda
• The Honeynet ProjectThe Honeynet Project
• The EnemyThe Enemy• Honeypot BasicsHoneypot Basics• Honeypots In UseHoneypots In Use• Legal ImplicationsLegal Implications
Honeynet Project GoalsHoneynet Project Goals
• Awareness:Awareness: To raise awareness of To raise awareness of the different types of honeypots that the different types of honeypots that existexist
• Information:Information: To teach and inform To teach and inform about the application of honeypotsabout the application of honeypots• Research:Research: To spur thought provoking To spur thought provoking
discussion and help drive innovation discussion and help drive innovation and research in this emerging spaceand research in this emerging space
Learn and have fun!Learn and have fun!
The Threat is RealThe Threat is Real
• The blackhat community is extremely activeThe blackhat community is extremely active– 20+ unique scans a day (20+ unique scans a day (20/hour on UW network20/hour on UW network))– Fastest time honeypot manually compromised, 15 Fastest time honeypot manually compromised, 15
minutes: worm, 92 secondsminutes: worm, 92 seconds– Default RH 6.2 life expectancy is 72 hours (Default RH 6.2 life expectancy is 72 hours (fresh fresh
Windows 2000 install on UW network: 2 hoursWindows 2000 install on UW network: 2 hours))– 100% - 900% increase of activity from 2000 to 2001100% - 900% increase of activity from 2000 to 2001– Its only getting worseIts only getting worse
http://www.honeynet.org/papers/stats/http://www.honeynet.org/papers/stats/
Tier I The best of the best Ability to find new vulnerabilities Ability to write exploit code and tools
Tier II IT savvy Ability to program or script Understand what the vulnerability is and how it works Intelligent enough to use the exploit code and tools with
precisionTier III
“Script Kiddies” Inexpert Ability to download exploit code and tools Very little understanding of the actual vulnerability
➢ Randomly fire off scripts until something works
Know Your EnemyKnow Your Enemy
Rising Attack SophisticationRising Attack Sophistication• Black hats have the Black hats have the
initiative; attack initiative; attack whatever they want, whatever they want, whenever they wantwhenever they want
• Public knows very Public knows very little about the black little about the black hats (Who are they? hats (Who are they? How do they attack? How do they attack? Why?)Why?)
• Arms races, and the Arms races, and the bad guys are always bad guys are always aheadahead
MethodologyMethodology
• One of the most common tactics seen is One of the most common tactics seen is attacking targets of opportunityattacking targets of opportunity– ““Drive by shootings on the information Drive by shootings on the information
superhighway”superhighway”
• Scanning as many systems as possible Scanning as many systems as possible and going for the easy killand going for the easy kill• If only 1% of systems are vulnerable, If only 1% of systems are vulnerable,
and you scan over 1 million hosts, you and you scan over 1 million hosts, you can potentially hack into 10,000 can potentially hack into 10,000 systemssystems
What are they looking for?What are they looking for?
#!/bin/shecho " Caut carti de credit si incerc sa salvez in card.log"touch /dev/ida/.inet/card.logegrep -ir 'mastercard|visa' /home|egrep -v cache >>card.logegrep -ir 'mastercard|visa' /var|egrep -v cache >>card.logegrep -ir 'mastercard|visa' /root|egrep -v cache >>card.logif [ -d /www ]; then egrep -ir 'mastercard|visa' /www >>card.logfi
EvolutionEvolution• FirewallsFirewalls
– Early 90’sEarly 90’s– Must have – deployed before anything elseMust have – deployed before anything else
• Intrusion Detection System (IDS)Intrusion Detection System (IDS)– Mid to late 90’sMid to late 90’s– We can’t guard everything, so let’s watch the We can’t guard everything, so let’s watch the
network for suspicious trafficnetwork for suspicious traffic• HoneypotsHoneypots
– Early 2000Early 2000– Not only do we want to know when the black Not only do we want to know when the black
hats are attacking, but also answer the hats are attacking, but also answer the question, Why?question, Why?
– Let’s learn rather than just reactLet’s learn rather than just react
Concept of HoneypotsConcept of Honeypots
• A security resource who’s value lies A security resource who’s value lies in being probed, attacked or in being probed, attacked or compromisedcompromised
• Has no production value; anything Has no production value; anything going to/from a honeypot is likely a going to/from a honeypot is likely a probe, attack or compromiseprobe, attack or compromise• Used for monitoring, detecting and Used for monitoring, detecting and
analyzing attacksanalyzing attacks
The Role Of Honeypots In The Role Of Honeypots In The EnterpriseThe Enterprise
• Augments Firewalls and IDSAugments Firewalls and IDS
• ResearchResearch• Incident Response / ForensicsIncident Response / Forensics• Deception / DeterrenceDeception / Deterrence
AdvantagesAdvantages
● Fidelity – Information of high valueFidelity – Information of high value
• Reduced false positivesReduced false positives• Reduced false negativesReduced false negatives• Simple conceptSimple concept• Not resource intensiveNot resource intensive• Return on InvestmentReturn on Investment
DisadvantagesDisadvantages
● Labor/skill intensiveLabor/skill intensive● RiskRisk● Limited field of viewLimited field of view● Does not protect vulnerable systemsDoes not protect vulnerable systems
Today's honeypotsToday's honeypots
• Military, government organizations, Military, government organizations, security companies applying the security companies applying the technologiestechnologies
• Primarily to identify threats and learn Primarily to identify threats and learn more about themmore about them• Commercial application increasing Commercial application increasing
everydayeveryday
Utility – Identifying new Utility – Identifying new exploitsexploits
FutureFuture
• Honeypots are now where firewalls were eight Honeypots are now where firewalls were eight years agoyears ago
• Beginning of the “hype curve”Beginning of the “hype curve”• Predict you will see five more commercial Predict you will see five more commercial
honeypots by the end of 2003honeypots by the end of 2003• Enhanced policy enforcement capabilitiesEnhanced policy enforcement capabilities• Advance development in Open Source Advance development in Open Source
solutionssolutions• Integrated firewall/IDS/honeypot appliancesIntegrated firewall/IDS/honeypot appliances
Gen IIGen IIHoneynetHoneynet
Virtual HoneynetVirtual Honeynet
Live DemoLive Demo
Top 10 attacked portsTop 10 attacked ports
Attacks loggedAttacks logged
IRC traffic plugin outputIRC traffic plugin output
Legal IssuesLegal Issues
• EntrapmentEntrapment
• LiabilityLiability• PrivacyPrivacy
EntrapmentEntrapment
• Applies only to law enforcementApplies only to law enforcement
• Useful only as defense in criminal Useful only as defense in criminal prosecutionprosecution• Still, most legal authorities consider Still, most legal authorities consider
honeypots non-entrapmenthoneypots non-entrapment
LiabilityLiability
• Any organization may be liable if their Any organization may be liable if their honeypot is used to attack or damage honeypot is used to attack or damage third parties.third parties.– Civil issue, not criminalCivil issue, not criminal• Example: T.J. Hooper v. Northern Barge Corp. Example: T.J. Hooper v. Northern Barge Corp.
(No weather radios)(No weather radios)
– Decided at state level, not federalDecided at state level, not federal
• This is why the Honeynet Project focuses This is why the Honeynet Project focuses so much attention on Data Control.so much attention on Data Control.
PrivacyPrivacy
• No single federal statute (USA) No single federal statute (USA) concerning privacyconcerning privacy
• Electronic Communications Privacy Act Electronic Communications Privacy Act (amends Title III of the Omnibus Crime (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968)Control and Safe Streets Act of 1968)– Title I: Wiretap Act (18 USC 2510-22)Title I: Wiretap Act (18 USC 2510-22)– Title II: Stored Communications Act (18 Title II: Stored Communications Act (18
USC 2701-11) USC 2701-11) – Title III: Pen/Trap Act (18 USC § 3121-27)Title III: Pen/Trap Act (18 USC § 3121-27)
Questions?Questions?
• [email protected]@u.washington.edu
• Slides available at:Slides available at:http://staff.washington.edu/dittrich/talks/NAAG.http://staff.washington.edu/dittrich/talks/NAAG.pptppt