Honeypots final

8/7/2019 Honeypots final

1/17

Honeypots


2/17

Introduction

A honeypot is a trap set to detect, deflect, or in some manner counteract

attempts at unauthorized use of information systems

They are the highly flexible security tool with different applications forsecurity. They don't fix a single problem. Instead they have multiple uses, suchas prevention, detection, or information gathering

A honeypot is an information system resource whose value lies inunauthorized or illicit use of that resource


3/17


4/17


5/17

Cl assific ation

By leve l of inter actionHigh

Low By Imp lement a tionV irtualPhysical

By purposeProductionResearch


6/17

Inter action

Low interaction HoneypotsThey have limited interaction, they normally work by emulating services and operating

systemsThey simulate only services that cannot be exploited to get complete access to the

honeypot

Attacker activity is limited to the level of emulation by the honeypot

Examples of low-interaction honeypots include Specter, Honeyd, and KFsensor


7/17

Inter action

High interaction HoneypotsThey are usually complex solutions as they involve real operating systems and

applicationsNothing is emulated, the attackers are given the real thing

A high-interaction honeypot can be compromised completely, allowing an adversary to

gain full access to the system and use it to launch further network attacks

Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets


8/17

PhysicalReal machines

Own IP AddressesOften high-interactive

V irtualSimulated by other machines that:

Respond to the traffic sent to the honeypots May simulate a lot of (different) virtual honeypots at the

same time

Imp lement ation


9/17

Production honeypots are easy to use, capture only limited information, andare used primarily by companies or corporationsPrevention

To keep the bad elements outThere are no effective mechanismsDeception, Deterrence, Decoys do NOT work against automatedattacks: worms, auto-rooters, mass-rooters

DetectionDetecting the burglar when he breaks in

ResponseCan easily be pulled offline

Production


10/17

Research honeypots are complex to deploy and maintain, capture extensiveinformation, and are used primarily by research, military, or governmentorganizations.Collect compact amounts of high value informationDiscover new Tools and TacticsUnderstand Motives, Behavior, and Organization

Develop Analysis and Forensic Skills

R ese arch


11/17

A dv ant ag es

Small data sets of high value.Easier and cheaper to analyze the dataDesigned to capture anything thrown at them, including tools ortactics never used beforeRequire minimal resourcesWork fine in encrypted or IPv6 environmentsCan collect in-depth informationConceptually very simple


12/17

D isadv ant ag es

Can only track and capture activity that directly interacts withthemAll security technologies have risk Building, configuring, deploying and maintaining a high-interaction honeypot is time consuming Difficult to analyze a compromised honeypotHigh interaction honeypot introduces a high level of risk Low interaction honeypots are easily detectable by skilled attackers


13/17

Workin g of Honeynet Hi gh inter action honeypot

Honeynet has 3 components:

Data controlData captureData analysis


14/17


15/17

C onc lusion

Not a solution!Can collect in depth data which no other technology canDifferent from others its value lies in being attacked, probed orcompromisedExtremely useful in observing hacker movements and preparing the systems for future attacks


16/17

R eferences

http://www.authorstream.com/Presentation/juhi1988-111469-ppt-honeypot-honeypotppt1-science-technology-powerpoint/

http://www.tracking-hackers.com/papers/honeypots.html

http://en.wikipedia.org/wiki/Honeypot_%28computing%29


17/17

Documents

Honeypots final