15
Honeypots ZIANE Bilal Http://www.ZIANEBilal.com/2012/09/honeypots/

Honeypots

Embed Size (px)

DESCRIPTION

Honeypots

Citation preview

Page 1: Honeypots

Honeypots

ZIANE Bilal

Http://www.ZIANEBilal.com/2012/09/honeypots/

Page 2: Honeypots

1 Honeypot www.ZIANEBilal.com

Honeypot

1. Definitions of Honeypots

What is a Honeypot? The buzz word honeypot has created a great deal of confusion and

miscommunication through the security community, due to the lack of a clear and

simple definition.

Some think a honeypot is an intrusion detection tool, others sees it as a jail or as a

deception tool to lure hackers. These viewpoints of what a honeypot is have emerged a

lot of misunderstandings.

Therefore, a honeypot is a resource which pretends to be a real target. A honeypot is

expected to be at-tacked or compromised. The main goals are the distraction of an

attacker and the gain of information about the type of the attack and about the attacker,

serving as an early-warning, thus, minimizing the risks on the real IT Systems and

Network.

Honeypots are typically virtual machines, designed to emulate real machines with fully

running services, fooling the black hats without knowing they are covertly observed.

In the one hand, Firewalls are designed to protect organizations by controlling the

traffic flow, using them as an access control device to block unauthorized activities. In

the other hand, Network Intrusion Detection Systems are designed to detect any

malicious activity by monitoring the activity within the network. Identifying malicious

activities and reporting them to the administrator. But the Honeypot seems to be

different from the most security tools in that they can take on different manifestations.

That’s to say the value of the honeypot resides in being attacked, and if the system is

never probed then it has little or no value.

Honeypots are flexible, resolving not only one specific issue. Instead, they are highly

recommended for widely different situations, as alarming and warning sensors, by

detecting (like IDS) deterring (like firewalls) attacks, capturing and analyzing

automated attacks including worms.

Page 3: Honeypots

2 Honeypot www.ZIANEBilal.com

How Honeypots Work

Honeypots are security resources that have no production value; no person or

resource should be communicating with them. Any activity sent their way is suspect.

Any traffic initiated by the honeypot means the system has most likely been

compromised. Any traffic sent to the honeypot is most likely a probe, scan, or attack.

With a honeypot, nothing is expected.

To better understand the concepts of honeypots, let's take a look at the following

example of honeypot deployments.

The purpose here is to demonstrate to you that honeypots can come in many

different flavors, and they can achieve different things. However, they are both

honeypots because they share the same definition and concepts.

With the intent using systems as a honeypots, to determine if there is any

unauthorized activity happening within your DMZ.

Honeypots passively capture any traffic or activity that interacts with them.

Page 4: Honeypots

3 Honeypot www.ZIANEBilal.com

2. Types of Honeypots

Production/Research Honeypots:

Honeypots are classified into two general categories: Production Honeypots and

Research Honeypots.

The production honeypots are easier to build and deploy than the research

honeypots, besides their simplicity they have less risk. But, they give less information

about the attacker and about the types of attacks as well.

The research honeypots are designed to gain information about the black hat

community with the aim of researching threats that the organization might face

detecting who the attackers are, how they are organized, tolls they are using, in order to

find out who the attackers are, and to understand how they are operating. Then we can

progressively protect the environment based on those collected information.

Security research companies, government agencies and universities are deploying

research honeypots to help the security community secure their resources, and to learn

about attackers who are they, how they take action, and what tools they use.

Indeed, Honeynets are one example of the research honeypots.

Low/High Interactivity:

High-interaction honeypots offer the adversary a full system to interact with. This means that the honeypot does not emulate any services, functionality, or base operating systems. Instead, it provides real systems and services, the same used in organizations today. Thus, the attacker can completely compromise the machine and take control of it.

This allows you to learn more about the tools, tactics, and motives of the attacker and get a better understanding of the attacker community.

Although these types of honeypots can give you deep insights into the routine procedures of an attacker, be warned: High-interaction honeypots can be a time-consuming yet fascinating hobby! Your personal computer can be considered a high-interaction honeypot.

Page 5: Honeypots

4 Honeypot www.ZIANEBilal.com

This approach, however, has several drawbacks. After all, you do not want an attacker to have access to your private data or disrupt your work. Certainly you want to set up a machine that is dedicated for this task, using a virtual machineHigh-interaction honeypots have some risk. The attacker can abuse a honeypot he has compromised and start to attack other systems on the Internet. This could cause you both legal and ethical problems. Therefore, we need to safeguard the whole setup to mitigate risk.

Low-interaction honeypots are fascinating for many different reasons. Many noncommercial solutions exist like LaBrea and Tiny Honeypot, and low-interaction honeypots are easy to set up. Even without much experience, you can set up a network of hundreds of low-interaction virtual honeypots in a short time.

Hybrid honeypots:

When low-interaction systems are not powerful enough and high-interaction systems are too expensive, hybrid solutions offer the benefits of both worlds.

Let's say we want to capture real worms on a class B network under our control. It would be too expensive to set up 65,000 real machines, but by combining principals of low-interaction honeypots with high-interaction honeypots, we can use the low-interaction honeypots as gateways to a few high-interaction machines.

The low-interaction honeypots filter out noise and scanning attempts and ensure that only interesting connections are forwarded to a set of high-interaction machines. These high-interaction machines can run different operating systems, and by selectively forwarding connections from the low-interaction honeypots, we can mix and dice the different services available on the high-interaction systems.

3. Advantages of Honeypots

Simplicity and high flexibility

The simpler a technology is, the less mistakes and misconfigurations there will be.

And I consider that the biggest advantage of honeypots is their simplicity. Just drop it

somewhere on the organization, then sit and wait. Some Honeypots can be more

complex, especially the Research honeypots. They all operate on the same simple

Page 6: Honeypots

5 Honeypot www.ZIANEBilal.com

premise: the simpler the concept, the more reliable it is. With complexity come

misconfigurations, and failures.

Honeypots can be used in a wide variety of environments, due to their high

flexibility. They can vary from a simple social security number added to a database, to

an entire network of computers designed to be broken into. It is this flexibility of

honeypots that allows them to be used anywhere and to gather extensive information

accordingly, especially against insider threats.

Data Value

The amount of captured information every day, from firewall logs, Intrusion

Detection alerts, system logs, would be very overwhelming, and extremely difficult to

take advantage of it.

Instead of logging Gigabytes of data every day, honeypots only capture bad activities

(positive alerts), by reducing the noise and collecting only small data sets of

information, with high value, most likely a scan, probe, or attack-information.

Minimal resources

Running out of resources has become an issue among the security community, and

since Honeypots require minimal resources, there are no resource limitations.

Because they capture and monitor little activity, honeypots typically do not have

problems of resource exhaustion. In the other hand, most IDS sensors have difficulty

monitoring networks that have gigabits speed. The speed and volume of the traffic are

too great for the sensor to analyze every packet. As a result, traffic is dropped and

potential attacks are missed. A honeypot deployed on the same network does not share

this problem. The honeypot only captures activities directed at itself, this is due to the

fact that honeypots only capture bad activity; any interaction with a honeypot is most

likely an unauthorized or malicious activity. That’s to say, the system is not

overwhelmed by the traffic.

Besides, no deal of money needs to be invested in hardware for deploying a

Honeypot, the cheap old and unwanted Pentium computer, will do the work.

Page 7: Honeypots

6 Honeypot www.ZIANEBilal.com

Capture the new tools and attacks

Honeypots are designed to capture anything thrown at them. This means they

capture harmful methods and tools that have never been used before. This is unusual to

any security system deployed before, like IDS, Firewalls, etc., all of which have to

recognize and diagnose an activity before categorizing it as dangerous.

Return on Investment

Honeypots quickly and repeatedly demonstrate their value. Whenever they are

attacked, people know the bad guys are out there. By capturing unauthorized activity,

honeypots can be used to justify not only their own value but investments in other

security resources as well. When management perceives there are no threats, honeypots

can effectively prove that a great deal of risk does exist.

4. Disadvantages of Honeypots

Narrow Field of View

The greatest disadvantage of honeypots is that they only see what activity is directed

against them. But if an attacker breaks into your real network and attacks a variety of

systems, your honeypot will be unaware of the activity unless it is attacked directly.

That’s to say, if the attackers had identified the honeypot for what it is, they can now

avoid that system, with the honeypot never knowing. As noted earlier, honeypots are

designed to be attacked, but if not they lose their value.

Fingerprinting

Fingerprinting is when an attacker can identify the true identity of the honeypot

because of its characteristics or behaviors. If a blackhat identifies an organization using

a honeypot on its internal networks, he could spoof the identity of other production

systems and attack the honeypot. The honeypot would detect these spoofed attacks, and

falsely alert administrators that a production system was attacking it, sending the

organization on a wild goose chase.

Page 8: Honeypots

7 Honeypot www.ZIANEBilal.com

Meanwhile, in the midst of all the confusion, an attacker could focus on real attacks.

Fingerprinting is an even greater risk for research honeypots. A system designed to

gain intelligence can be devastated if detected. An attacker can feed bad information to a

research honeypot as opposed to avoiding detection. This bad information would then

lead the security community to make incorrect conclusions about the blackhat

community.

This is not to say all honeypots must avoid detection. Some organizations might want

to scare away or confuse attackers. Once a honeypot is attacked, it can identify itself and

then warn off the attacker in hopes of scaring him off. However, in most situations

organizations do not want honeypots to be detected.

Risk

Honeypots can introduce risk to the environment. Once the honeypot is attacked, it

can be used to attack, infiltrate, or harm other systems or organizations.

The simpler the honeypot is, the less the risk. Some introduce very little risk and

difficult to compromise, while others give the attacker entire platforms from which to

launch passive or active attacks against other systems.

Because of their disadvantages, honeypots cannot replace other security mechanisms

such as firewalls and intrusion detection systems. Rather, they add value by working

with existing security mechanisms. They play a part in your overall defenses.

Page 9: Honeypots

8 Honeynets www.ZIANEBilal.com

Honeynets

1. How Honeynets Work

Honeynet is a physical network of multiple systems, with the same principal of a

honeypot, But not only in a single system. Anything sent to the Honeynet is suspect,

potentially a probe, scan, or even an attack. Anything sent from a Honeynet implies that

it has been compromised— an attacker or tool is launching activity.

Honeynets are an architecture that builds a highly controlled network, within

which you can place any system or application you want. It is this architecture that is

your Honeynet.

There are three critical elements to a Honeynet architecture: data control, data

capture, and data collection. These elements define your Honeynet architecture. Of the

three,the first two are the most important and apply to every Honeynet deployment. The

third, data collection, only applies to organizations that deploy multiple Honeynets in a

distributed environment. Data control is the controlling of the blackhat activity. Once a

blackhat takes control of a honeypot within the Honeynet, his activity has to be

contained so he cannot harm non-Honeynet systems.

Data capture is the capturing of all the activity that occurs within the Honeynet.

Data collection is the aggregation of all the data captured by multiple Honeynets.

Honeynets are highly flexible: there is no specific way to implement a Honeynet

Page 10: Honeypots

9 Honeynets www.ZIANEBilal.com

solution. However, what is critical is that it meets the data requirements of Honeynet

technologies.

There are currently two types of Honeynets that can be employed on a network.

These are GEN I, or first generation, and GEN II, or second generation. The type of

Honeynet that one chooses to use depends on many factors to include availability of

resources, types of hackers and attacks that you are trying to detect, and overall

experience with the Honeynet methodology.

GEN I Honeynets are the simpler methodology to employ. Although they are

somewhat limited in their ability for Data Capture and Data Control, highly effective in

detecting automated attacks or beginner level attacks against targets of opportunity on

the network. Their limitations in Data Control make it possible for a hacker to

fingerprint them as a Honeynet. They also offer little to a skilled hacker to attract them

to target the Honeynet, since the machines on the Honeynet are normally just default

installations of various operating systems.

GEN II Honeynets were developed to address the shortcomings inherent with

GEN I Honeynets. The primary area that was addressed by GEN II Honeynets is in the

area of Data Control. GEN I Honeynets used a firewall to provide Data Control by

limiting the number of outbound connections from the Honeynet. This is a very effective

method of Data Control; however, it lacks flexibility and allows for the possibility of the

hacker fingerprinting the Honeynet.

GEN II Honeynets provide data control by examining outbound data and making

a determination to block, to pass, or to modify by changing some of the packet contents

so as to allow data to appear to pass but rendering it benign. GEN II Honeynets are

more complex to deploy and maintain than GEN I Honeynets.

Page 11: Honeypots

10 Honeynets www.ZIANEBilal.com

2. Virtual Honeynets

Virtual Honeynets represent a relatively new field for Honeynets. The concept is to

virtually run an entire Honeynet on a single, physical system. The purpose of this is to

make Honeynets a cheaper solution that is easier to manage. Instead of investing in

large amounts of hardware, all of the hardware requirements are combined onto a single

system. Virtual Honeynets do not represent a specific architecture; they can support

either GenI or GenII technologies. Instead, virtual Honeynets represent one option for

deploying these architectures.

Page 12: Honeypots

11 HoneyC www.ZIANEBilal.com

HoneyC

This is an example of a client honeypot that initiates connections to a server,

aiming to find malicious servers on a network. It aims to identify malicious web servers

by using emulated clients that are able to solicit the type of response from a server that

is necessary for analysis of malicious content.

Official Website: https://projects.honeynet.org/honeyc/

Honeyd

Honeyd is an open source framework for setting up virtual honeypots with different services on one machine, fooling the network fingerprinting tools and simulating real operating systems.

Official Website: www.honeyd.org/

Deploying Honeypots with Honeyd:

http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with-

honeyd/

Honeypot/honeyd getting started:

http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/

Honeyd – A low involvement Honeypot in Action

http://security.rbaumann.net/download/honeyd.pdf

Page 13: Honeypots

12 Honeywall www.ZIANEBilal.com

Honeywall

Honeywall Bootable CD-ROM that comes with a set of tools and functionalities,

for implementing a GenII data capture, control and analysis features.

Install and configure Honeywall:

http://doc.emergingthreats.net/pub/Main/HoneywallSamples/InstallAndConfigureHo

neywall.pdf

DTK

Deception Toolkit was the first Open Source honeypot released in 1997. It is a

collection of Perl scripts and C source code that emulates a variety of listening services.

Its primary purpose is to deceive human attackers.

The Deception Toolkit Home Page: http://all.net/dtk/index.html

Honeytrap

This is a low-interactive honeypot developed to observe attacks against network

services. It helps administrators to collect information regarding known or unknown

network-based attacks.

Official Website: http://honeytrap.carnivore.it/

Page 14: Honeypots

13 Resources: www.ZIANEBilal.com

Resources:

Honeypots, Tracking Hackers: http://www.tracking-hackers.com/papers/

Les HoneyPots par François ROPERT: http://www.authsecu.com/honeypots-

honeynet/honeypots-honeynet.php#Les_menaces

CERT AdvisoryCA-2001-18 Multiple Vulnerabilities in Several Implementations of the

Lightweight

DirectoryAccess Protocol (LDAP) http://www.cert.org/advisories/CA-2001-18.html

Honeypots - Tracking Hackers By Lance Spitzner. ISBN: 0-321-10895-7.

Honeypots for Windows by Roger A.Grimes. ISBN: 1590593359.

Virtual Honeypots: From Botnet Tracking to Intrusion Detection. by Niels Provos;

Thorsten Holz. ISBN: 0-321-33632-1.

White Paper: Honeypots by Reto Baumann (http://www.rbaumann.net) and Christian

Plattner (http://www.christianplattner.net).

Know Your Enemy, Honeynets: http://www.symantec.com/connect/articles/know-

your-enemy-honeynets

Virtual Honeynet, Deploying Honeywall using VMware:

http://www.honeynet.pk/honeywall/roo/index.htm

Page 15: Honeypots

14 Resources: www.ZIANEBilal.com

Table of Contents Honeypot ...........................................................................................................................................1

1. Definitions of Honeypots..........................................................................................................1

2. Types of Honeypots .................................................................................................................3

Production/Research Honeypots: .........................................................................................3

Low/High Interactivity: .........................................................................................................3

Hybrid honeypots: ...............................................................................................................4

3. Advantages of Honeypots ........................................................................................................4

Simplicity and high flexibility ................................................................................................4

Data Value...........................................................................................................................5

Minimal resources ...............................................................................................................5

Capture the new tools and attacks ........................................................................................6

Return on Investment ..........................................................................................................6

4. Disadvantages of Honeypots ....................................................................................................6

Narrow Field of View............................................................................................................6

Fingerprinting ......................................................................................................................6

Risk .....................................................................................................................................7

Honeynets..........................................................................................................................................8

1. How Honeynets Work ..............................................................................................................8

2. Virtual Honeynets .................................................................................................................. 10

HoneyC ............................................................................................................................................ 11

Honeyd ............................................................................................................................................ 11

Honeywall ........................................................................................................................................ 12

DTK.................................................................................................................................................. 12

Honeytrap ........................................................................................................................................ 12

Resources: ....................................................................................................................................... 13