Embed Size (px)
DESCRIPTION
Honeypots
Citation preview
Honeypots
ZIANE Bilal
Http://www.ZIANEBilal.com/2012/09/honeypots/
1 Honeypot www.ZIANEBilal.com
Honeypot
1. Definitions of Honeypots
What is a Honeypot? The buzz word honeypot has created a great deal of confusion and
miscommunication through the security community, due to the lack of a clear and
simple definition.
Some think a honeypot is an intrusion detection tool, others sees it as a jail or as a
deception tool to lure hackers. These viewpoints of what a honeypot is have emerged a
lot of misunderstandings.
Therefore, a honeypot is a resource which pretends to be a real target. A honeypot is
expected to be at-tacked or compromised. The main goals are the distraction of an
attacker and the gain of information about the type of the attack and about the attacker,
serving as an early-warning, thus, minimizing the risks on the real IT Systems and
Network.
Honeypots are typically virtual machines, designed to emulate real machines with fully
running services, fooling the black hats without knowing they are covertly observed.
In the one hand, Firewalls are designed to protect organizations by controlling the
traffic flow, using them as an access control device to block unauthorized activities. In
the other hand, Network Intrusion Detection Systems are designed to detect any
malicious activity by monitoring the activity within the network. Identifying malicious
activities and reporting them to the administrator. But the Honeypot seems to be
different from the most security tools in that they can take on different manifestations.
That’s to say the value of the honeypot resides in being attacked, and if the system is
never probed then it has little or no value.
Honeypots are flexible, resolving not only one specific issue. Instead, they are highly
recommended for widely different situations, as alarming and warning sensors, by
detecting (like IDS) deterring (like firewalls) attacks, capturing and analyzing
automated attacks including worms.
2 Honeypot www.ZIANEBilal.com
How Honeypots Work
Honeypots are security resources that have no production value; no person or
resource should be communicating with them. Any activity sent their way is suspect.
Any traffic initiated by the honeypot means the system has most likely been
compromised. Any traffic sent to the honeypot is most likely a probe, scan, or attack.
With a honeypot, nothing is expected.
To better understand the concepts of honeypots, let's take a look at the following
example of honeypot deployments.
The purpose here is to demonstrate to you that honeypots can come in many
different flavors, and they can achieve different things. However, they are both
honeypots because they share the same definition and concepts.
With the intent using systems as a honeypots, to determine if there is any
unauthorized activity happening within your DMZ.
Honeypots passively capture any traffic or activity that interacts with them.
3 Honeypot www.ZIANEBilal.com
2. Types of Honeypots
Production/Research Honeypots:
Honeypots are classified into two general categories: Production Honeypots and
Research Honeypots.
The production honeypots are easier to build and deploy than the research
honeypots, besides their simplicity they have less risk. But, they give less information
about the attacker and about the types of attacks as well.
The research honeypots are designed to gain information about the black hat
community with the aim of researching threats that the organization might face
detecting who the attackers are, how they are organized, tolls they are using, in order to
find out who the attackers are, and to understand how they are operating. Then we can
progressively protect the environment based on those collected information.
Security research companies, government agencies and universities are deploying
research honeypots to help the security community secure their resources, and to learn
about attackers who are they, how they take action, and what tools they use.
Indeed, Honeynets are one example of the research honeypots.
Low/High Interactivity:
High-interaction honeypots offer the adversary a full system to interact with. This means that the honeypot does not emulate any services, functionality, or base operating systems. Instead, it provides real systems and services, the same used in organizations today. Thus, the attacker can completely compromise the machine and take control of it.
This allows you to learn more about the tools, tactics, and motives of the attacker and get a better understanding of the attacker community.
Although these types of honeypots can give you deep insights into the routine procedures of an attacker, be warned: High-interaction honeypots can be a time-consuming yet fascinating hobby! Your personal computer can be considered a high-interaction honeypot.
4 Honeypot www.ZIANEBilal.com
This approach, however, has several drawbacks. After all, you do not want an attacker to have access to your private data or disrupt your work. Certainly you want to set up a machine that is dedicated for this task, using a virtual machineHigh-interaction honeypots have some risk. The attacker can abuse a honeypot he has compromised and start to attack other systems on the Internet. This could cause you both legal and ethical problems. Therefore, we need to safeguard the whole setup to mitigate risk.
Low-interaction honeypots are fascinating for many different reasons. Many noncommercial solutions exist like LaBrea and Tiny Honeypot, and low-interaction honeypots are easy to set up. Even without much experience, you can set up a network of hundreds of low-interaction virtual honeypots in a short time.
Hybrid honeypots:
When low-interaction systems are not powerful enough and high-interaction systems are too expensive, hybrid solutions offer the benefits of both worlds.
Let's say we want to capture real worms on a class B network under our control. It would be too expensive to set up 65,000 real machines, but by combining principals of low-interaction honeypots with high-interaction honeypots, we can use the low-interaction honeypots as gateways to a few high-interaction machines.
The low-interaction honeypots filter out noise and scanning attempts and ensure that only interesting connections are forwarded to a set of high-interaction machines. These high-interaction machines can run different operating systems, and by selectively forwarding connections from the low-interaction honeypots, we can mix and dice the different services available on the high-interaction systems.
3. Advantages of Honeypots
Simplicity and high flexibility
The simpler a technology is, the less mistakes and misconfigurations there will be.
And I consider that the biggest advantage of honeypots is their simplicity. Just drop it
somewhere on the organization, then sit and wait. Some Honeypots can be more
complex, especially the Research honeypots. They all operate on the same simple
5 Honeypot www.ZIANEBilal.com
premise: the simpler the concept, the more reliable it is. With complexity come
misconfigurations, and failures.
Honeypots can be used in a wide variety of environments, due to their high
flexibility. They can vary from a simple social security number added to a database, to
an entire network of computers designed to be broken into. It is this flexibility of
honeypots that allows them to be used anywhere and to gather extensive information
accordingly, especially against insider threats.
Data Value
The amount of captured information every day, from firewall logs, Intrusion
Detection alerts, system logs, would be very overwhelming, and extremely difficult to
take advantage of it.
Instead of logging Gigabytes of data every day, honeypots only capture bad activities
(positive alerts), by reducing the noise and collecting only small data sets of
information, with high value, most likely a scan, probe, or attack-information.
Minimal resources
Running out of resources has become an issue among the security community, and
since Honeypots require minimal resources, there are no resource limitations.
Because they capture and monitor little activity, honeypots typically do not have
problems of resource exhaustion. In the other hand, most IDS sensors have difficulty
monitoring networks that have gigabits speed. The speed and volume of the traffic are
too great for the sensor to analyze every packet. As a result, traffic is dropped and
potential attacks are missed. A honeypot deployed on the same network does not share
this problem. The honeypot only captures activities directed at itself, this is due to the
fact that honeypots only capture bad activity; any interaction with a honeypot is most
likely an unauthorized or malicious activity. That’s to say, the system is not
overwhelmed by the traffic.
Besides, no deal of money needs to be invested in hardware for deploying a
Honeypot, the cheap old and unwanted Pentium computer, will do the work.
6 Honeypot www.ZIANEBilal.com
Capture the new tools and attacks
Honeypots are designed to capture anything thrown at them. This means they
capture harmful methods and tools that have never been used before. This is unusual to
any security system deployed before, like IDS, Firewalls, etc., all of which have to
recognize and diagnose an activity before categorizing it as dangerous.
Return on Investment
Honeypots quickly and repeatedly demonstrate their value. Whenever they are
attacked, people know the bad guys are out there. By capturing unauthorized activity,
honeypots can be used to justify not only their own value but investments in other
security resources as well. When management perceives there are no threats, honeypots
can effectively prove that a great deal of risk does exist.
4. Disadvantages of Honeypots
Narrow Field of View
The greatest disadvantage of honeypots is that they only see what activity is directed
against them. But if an attacker breaks into your real network and attacks a variety of
systems, your honeypot will be unaware of the activity unless it is attacked directly.
That’s to say, if the attackers had identified the honeypot for what it is, they can now
avoid that system, with the honeypot never knowing. As noted earlier, honeypots are
designed to be attacked, but if not they lose their value.
Fingerprinting
Fingerprinting is when an attacker can identify the true identity of the honeypot
because of its characteristics or behaviors. If a blackhat identifies an organization using
a honeypot on its internal networks, he could spoof the identity of other production
systems and attack the honeypot. The honeypot would detect these spoofed attacks, and
falsely alert administrators that a production system was attacking it, sending the
organization on a wild goose chase.
7 Honeypot www.ZIANEBilal.com
Meanwhile, in the midst of all the confusion, an attacker could focus on real attacks.
Fingerprinting is an even greater risk for research honeypots. A system designed to
gain intelligence can be devastated if detected. An attacker can feed bad information to a
research honeypot as opposed to avoiding detection. This bad information would then
lead the security community to make incorrect conclusions about the blackhat
community.
This is not to say all honeypots must avoid detection. Some organizations might want
to scare away or confuse attackers. Once a honeypot is attacked, it can identify itself and
then warn off the attacker in hopes of scaring him off. However, in most situations
organizations do not want honeypots to be detected.
Risk
Honeypots can introduce risk to the environment. Once the honeypot is attacked, it
can be used to attack, infiltrate, or harm other systems or organizations.
The simpler the honeypot is, the less the risk. Some introduce very little risk and
difficult to compromise, while others give the attacker entire platforms from which to
launch passive or active attacks against other systems.
Because of their disadvantages, honeypots cannot replace other security mechanisms
such as firewalls and intrusion detection systems. Rather, they add value by working
with existing security mechanisms. They play a part in your overall defenses.
8 Honeynets www.ZIANEBilal.com
Honeynets
1. How Honeynets Work
Honeynet is a physical network of multiple systems, with the same principal of a
honeypot, But not only in a single system. Anything sent to the Honeynet is suspect,
potentially a probe, scan, or even an attack. Anything sent from a Honeynet implies that
it has been compromised— an attacker or tool is launching activity.
Honeynets are an architecture that builds a highly controlled network, within
which you can place any system or application you want. It is this architecture that is
your Honeynet.
There are three critical elements to a Honeynet architecture: data control, data
capture, and data collection. These elements define your Honeynet architecture. Of the
three,the first two are the most important and apply to every Honeynet deployment. The
third, data collection, only applies to organizations that deploy multiple Honeynets in a
distributed environment. Data control is the controlling of the blackhat activity. Once a
blackhat takes control of a honeypot within the Honeynet, his activity has to be
contained so he cannot harm non-Honeynet systems.
Data capture is the capturing of all the activity that occurs within the Honeynet.
Data collection is the aggregation of all the data captured by multiple Honeynets.
Honeynets are highly flexible: there is no specific way to implement a Honeynet
9 Honeynets www.ZIANEBilal.com
solution. However, what is critical is that it meets the data requirements of Honeynet
technologies.
There are currently two types of Honeynets that can be employed on a network.
These are GEN I, or first generation, and GEN II, or second generation. The type of
Honeynet that one chooses to use depends on many factors to include availability of
resources, types of hackers and attacks that you are trying to detect, and overall
experience with the Honeynet methodology.
GEN I Honeynets are the simpler methodology to employ. Although they are
somewhat limited in their ability for Data Capture and Data Control, highly effective in
detecting automated attacks or beginner level attacks against targets of opportunity on
the network. Their limitations in Data Control make it possible for a hacker to
fingerprint them as a Honeynet. They also offer little to a skilled hacker to attract them
to target the Honeynet, since the machines on the Honeynet are normally just default
installations of various operating systems.
GEN II Honeynets were developed to address the shortcomings inherent with
GEN I Honeynets. The primary area that was addressed by GEN II Honeynets is in the
area of Data Control. GEN I Honeynets used a firewall to provide Data Control by
limiting the number of outbound connections from the Honeynet. This is a very effective
method of Data Control; however, it lacks flexibility and allows for the possibility of the
hacker fingerprinting the Honeynet.
GEN II Honeynets provide data control by examining outbound data and making
a determination to block, to pass, or to modify by changing some of the packet contents
so as to allow data to appear to pass but rendering it benign. GEN II Honeynets are
more complex to deploy and maintain than GEN I Honeynets.
10 Honeynets www.ZIANEBilal.com
2. Virtual Honeynets
Virtual Honeynets represent a relatively new field for Honeynets. The concept is to
virtually run an entire Honeynet on a single, physical system. The purpose of this is to
make Honeynets a cheaper solution that is easier to manage. Instead of investing in
large amounts of hardware, all of the hardware requirements are combined onto a single
system. Virtual Honeynets do not represent a specific architecture; they can support
either GenI or GenII technologies. Instead, virtual Honeynets represent one option for
deploying these architectures.
11 HoneyC www.ZIANEBilal.com
HoneyC
This is an example of a client honeypot that initiates connections to a server,
aiming to find malicious servers on a network. It aims to identify malicious web servers
by using emulated clients that are able to solicit the type of response from a server that
is necessary for analysis of malicious content.
Official Website: https://projects.honeynet.org/honeyc/
Honeyd
Honeyd is an open source framework for setting up virtual honeypots with different services on one machine, fooling the network fingerprinting tools and simulating real operating systems.
Official Website: www.honeyd.org/
Deploying Honeypots with Honeyd:
http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with-
honeyd/
Honeypot/honeyd getting started:
http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/
Honeyd – A low involvement Honeypot in Action
http://security.rbaumann.net/download/honeyd.pdf
12 Honeywall www.ZIANEBilal.com
Honeywall
Honeywall Bootable CD-ROM that comes with a set of tools and functionalities,
for implementing a GenII data capture, control and analysis features.
Install and configure Honeywall:
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/InstallAndConfigureHo
neywall.pdf
DTK
Deception Toolkit was the first Open Source honeypot released in 1997. It is a
collection of Perl scripts and C source code that emulates a variety of listening services.
Its primary purpose is to deceive human attackers.
The Deception Toolkit Home Page: http://all.net/dtk/index.html
Honeytrap
This is a low-interactive honeypot developed to observe attacks against network
services. It helps administrators to collect information regarding known or unknown
network-based attacks.
Official Website: http://honeytrap.carnivore.it/
13 Resources: www.ZIANEBilal.com
Resources:
Honeypots, Tracking Hackers: http://www.tracking-hackers.com/papers/
Les HoneyPots par François ROPERT: http://www.authsecu.com/honeypots-
honeynet/honeypots-honeynet.php#Les_menaces
CERT AdvisoryCA-2001-18 Multiple Vulnerabilities in Several Implementations of the
Lightweight
DirectoryAccess Protocol (LDAP) http://www.cert.org/advisories/CA-2001-18.html
Honeypots - Tracking Hackers By Lance Spitzner. ISBN: 0-321-10895-7.
Honeypots for Windows by Roger A.Grimes. ISBN: 1590593359.
Virtual Honeypots: From Botnet Tracking to Intrusion Detection. by Niels Provos;
Thorsten Holz. ISBN: 0-321-33632-1.
White Paper: Honeypots by Reto Baumann (http://www.rbaumann.net) and Christian
Plattner (http://www.christianplattner.net).
Know Your Enemy, Honeynets: http://www.symantec.com/connect/articles/know-
your-enemy-honeynets
Virtual Honeynet, Deploying Honeywall using VMware:
http://www.honeynet.pk/honeywall/roo/index.htm
14 Resources: www.ZIANEBilal.com
Table of Contents Honeypot ...........................................................................................................................................1
1. Definitions of Honeypots..........................................................................................................1
2. Types of Honeypots .................................................................................................................3
Production/Research Honeypots: .........................................................................................3
Low/High Interactivity: .........................................................................................................3
Hybrid honeypots: ...............................................................................................................4
3. Advantages of Honeypots ........................................................................................................4
Simplicity and high flexibility ................................................................................................4
Data Value...........................................................................................................................5
Minimal resources ...............................................................................................................5
Capture the new tools and attacks ........................................................................................6
Return on Investment ..........................................................................................................6
4. Disadvantages of Honeypots ....................................................................................................6
Narrow Field of View............................................................................................................6
Fingerprinting ......................................................................................................................6
Risk .....................................................................................................................................7
Honeynets..........................................................................................................................................8
1. How Honeynets Work ..............................................................................................................8
2. Virtual Honeynets .................................................................................................................. 10
HoneyC ............................................................................................................................................ 11
Honeyd ............................................................................................................................................ 11
Honeywall ........................................................................................................................................ 12
DTK.................................................................................................................................................. 12
Honeytrap ........................................................................................................................................ 12
Resources: ....................................................................................................................................... 13
