Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Honeynets and Honeypots: Companion Technology for

advertisement 
Honeynets and Honeypots:
Companion Technology for Detection
and Response
Cristine Hoepers
cristine@nic.br
NIC BR Security Office – NBSO
Brazilian Computer Emergency Response Team
http://www.nbso.nic.br/
Honeynet.BR & Brazilian Honeypots Alliance
http://www.honeynet.org.br/
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.1/41
Overview
• Some definitions
• Types of Honeypots
–
–
differences
possible uses
• Types of data gathered
–
–
in a Honeynet
in a network of distributed honeypots
• Additional Information
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.2/41
Honeypot Definition
“A honeypot is a security resource whose
value lies in being probed, attacked or
compromised.”
Lance Spitzner,
Honeypots: Tracking Hackers.
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.3/41
Advantages
• There is no “normal” traffic. Everything is
suspicious and potentially malicious.
• Less data to analyse than in IDS systems
• Can provide valuable information about
attackers
• Can capture new types of malware
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.4/41
Disadvantages
• There are potential risks for your network
(depending on the type)
• Can be time consuming to maintain
• Narrow view – sees only what is directed to it
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.5/41
What honeypots aren’t
• Honeypots are not replacements for:
–
security best practices
–
security policies
–
firewalls
–
IDS
–
patch management
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.6/41
Types of Honeypots
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.7/41
Low-interaction Honeypots
• Easy to install and maintain
• Low risk
• Limited information gathering
• Examples:
–
listeners, service emulators, honeyd, Tiny
Honeypot.
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.8/41
Low-Interaction Honeypots (cont.)
• Emulate some parts of services and systems
• The attacker does not have access to the real
operating system
• The attacker can’t compromise the honeypot
(in theory)
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.9/41
High-interaction Honeypots
• More difficult to install and maintain
• High risk
• Need containment mechanisms
• Extensive information gathering
• Example:
–
honeynets, virtual honeynets
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.10/41
Honeynet Definition (1)
“A Honeynet is nothing more than one
type of honeypot. Specifically, it is a high
interaction honeypot designed primarily for
research, to gather information on the
enemy. [...] A Honeynet is different from
traditional honeypots, it is what we would
categorize as a research honeypot.”
Lance Spitzner,
Know Your Enemy: Honeynets
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.11/41
Honeynet Definition (2)
“A honeynet is a research tool consisting
of a network specifically designed for the
purpose of being compromised, with
control mechanisms that prevent this
network from being used as a base for
launching attacks against other networks.”
Cristine Hoepers, Klaus Steding-Jessen, Antonio Montes,
Honeynets Applied to the CSIRT Scenario
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.12/41
Honeynets Characteristics
• A network of multiple systems and
applications
• Robust containment mechanism
–
may have multiple layers of control
–
sometimes called “honeywall”
• Data capture and alerting mechanisms
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.13/41
Honeynet Requirements
• No data pollution (i.e. no test or traffic
generated by non-blackhats)
• Data control
• Data capture
• Data collection
• Alerting mechanism
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.14/41
Risks
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.15/41
Low-Interaction Honeypots Risks
• Compromise of the real operating system
running the honeypot
• The honeypot software may have
vulnerabilities
• Attract attackers to your network
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.16/41
Honeynets Risks
• A mistake in containment or configuration can
–
permit your honeynet to be used to harm
other networks
–
open a port to your organization’s network
• A compromise associated with your
organization can affect its image
• Your honeynet being identified
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.17/41
Honeynets Risks (cont.)
Why they are so risky:
• Level of interaction – the attacker has full
control of the machine
• Complex to deploy and maintain
–
variety of technologies working together
–
multiple points of failure
• New attacks and unexpected threats may not
be contained or seen
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.18/41
Possible Uses
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.19/41
Possible Uses
• Detect automated probes and attacks
• Capture tools, new worms, etc
• Identify insider’s attacks (internal honeypots,
honeytokens)
• Compare with IDS and Firewall logs
• Raise awareness
• Identify infected/compromised machines
–
use the data to generate reports
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.20/41
When to Use
Low-Interaction Honeypots
• There is insufficient hardware to set up a
honeynet
• The risk of another type of honeypot is not
acceptable
• The purpose is:
–
–
–
–
identify scans and automated attacks
fool script kiddies
distract attackers from important systems
collect attack signatures and trends
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.21/41
When to Use (cont.)
High-Interaction Honeypots
• The purpose is to observe the intruders
activities and behavior:
–
–
observe a real compromise
IRC conversations
• Need material for research and training in:
–
–
artifact analysis
forensic analysis
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.22/41
Low x High-Interaction Honeypots
Low-Interaction
High-Interaction
Installation
Easy
More difficult
Maintenance
Easy
Time consuming
Risk
Low
High
Need Control
No
Yes
Data gathering
Limited
Extensive
Interaction
Emulated services
Full control
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.23/41
Some Results
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.24/41
Data Gathered
Show some types of data gathered:
• In a Honeynet of the Honeynet.BR Project
http://www.honeynet.org.br/
• In a Network of Distributed Honeypots
http://www.honeypots-alliance.org.br/
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.25/41
Data Gathered by Honeynets
Honeynet.BR Topology
Honeynet
Forensics
Administrative Network
Honeypot 1
Hub
Switch
INTERNET
IDS
Honeypot 2
...
Router
Firewall
Hogwash
Honeypot n
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.26/41
Data Gathered by Honeynets (cont.)
• Network traces of successful attacks
–
update IDS signatures
–
understand attacks
• Profile of intruders
–
modus operandi
–
IRC conversations, motives
–
possible origin
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.27/41
Data Gathered by Honeynets (cont.)
• Rootkits, exploits, etc
– Used to update the chkrootkit tool
http://www.chkrootkit.org/
• New worms
– Scan of the Month Challenge 25 – Analyze a worm
recovered by a Honeynet.
http://www.honeynet.org/scans/scan25/
– Propagation of "Slapper" OpenSSL/Apache Worm
Variants
http://xforce.iss.net/xforce/alerts/id/advise134
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.28/41
Data Gathered by Honeypots
Brazilian Honeypots Alliance
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.29/41
Data Gathered by Honeypots (cont.)
• Low-interaction honeypots distributed over
mulitple networks
• Configuration of each honeypot:
OpenBSD
– Honeyd
– listeners
–
• Data collection in 2 central points:
NBSO/Brazilian CERT
– CenPRA Research Center
–
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.30/41
Data Gathered by Honeypots (cont.)
• Malware and spybot samples collected using
listeners
–
–
–
mydoom
kuang
subseven
• All traffic is logged (not only “SYN” packets)
able to see signatures of attacks, scans
and worms
– reduce false positives
–
• Observe the “noise” of malware activity
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.31/41
Data Gathered by Honeypots (cont.)
• Sanitized data is being used by NBSO to:
–
notify Brazilian networks involved in
malicious activity
–
donate data to other CSIRTs interested in
notifying their constituents
• Virus and malware are being sent to some AV
vendors
The following graphics are based on reports sent
by NBSO to Brazilian Networks, in the first
quarter of 2004.
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.32/41
Data Gathered by Honeypots (cont.)
250
DCOM RPC (Blaster)
Reports (cumulative)
200
150
100
50
0
10/Jan
24/Jan
07/Feb
21/Feb
06/Mar
20/Mar
2004
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.33/41
Data Gathered by Honeypots (cont.)
100
Kuang (17300/TCP)
Reports (cumulative)
80
60
40
20
0
10/Jan
24/Jan
07/Feb
21/Feb
2004
06/Mar
20/Mar
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.34/41
Data Gathered by Honeypots (cont.)
4000
Code Red
3500
Reports (cumulative)
3000
2500
2000
1500
1000
500
0
07/Feb
14/Feb
21/Feb
28/Feb
06/Mar
13/Mar
20/Mar
27/Mar
2004
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.35/41
Data Gathered by Honeypots (cont.)
450
openproxy scans
400
Reports (cumulative)
350
300
250
200
150
100
50
0
10/Jan
24/Jan
07/Feb
21/Feb
06/Mar
20/Mar
2004
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.36/41
Data Gathered by Honeypots (cont.)
4000
Dameware (6129/TCP)
Mydoom
3500
Reports (cumulative)
3000
2500
2000
1500
1000
500
0
06/Mar
13/Mar
20/Mar
27/Mar
2004
Possible Agobot/Phatbot side effect
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.37/41
Data Gathered by Honeypots (cont.)
SYN packets received (log scale)
Src Operating Systems
10M
1M
100K
10K
1K
Windows
Linux
unknown
Solaris
NetApp
NMAP
OpenBSD
Cisco
FreeBSD
Novell
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.38/41
Data Gathered by Honeypots (cont.)
350000
Src IPs Origin
300000
Unique src IPs
250000
200000
150000
100000
50000
0
US
CN
JP
KR
CA
BR
FR
DE
TW
UK
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.39/41
Additional Information
• Honeynet.BR Project
http://www.honeynet.org.br/
• Brazilian Honeypots Alliance
http://www.honeypots-alliance.org.br/
• The Honeynet Project
http://www.honeynet.org/
• Honeynet Research Alliance
http://www.honeynet.org/alliance/
• Honeypots: Tracking Hackers
http://www.tracking-hackers.com/book/
• Know Your Enemy, 2nd Edition
http://www.honeynet.org/book/
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.40/41
Additional Information
• Honeyd
http://www.honeyd.org/
• Honeyd: A Virtual Honeypot Daemon (Extended
Abstract)
http://www.citi.umich.edu/u/provos/papers/honeyd-eabstract.pdf
• Honeynets Applied to the CSIRT Scenario
http://www.honeynet.org.br/papers/hnbr-first2003.pdf
• Honeynet Challenges
http://www.honeynet.org/misc/chall.html
• SecurityFocus Honeypots Mailinglist
http://www.securityfocus.com/archive/
AusCERT2004 Conference, Technical Stream – May 24, 2004 – p.41/41
Related documents
A sample final
A sample final
Honeypots
Honeypots
Honeypots-Presentation
Honeypots-Presentation
HoneyPots
HoneyPots
landform
landform
BITS NEWS E-Bulletin
BITS NEWS E-Bulletin
Shaina Reddinger - Mrs. Maine`s Wikispace
Shaina Reddinger - Mrs. Maine`s Wikispace
Market Research in E
Market Research in E
HP Workshop 2012: Tunisian chapter Update
HP Workshop 2012: Tunisian chapter Update
Surface Water Worksheet
Surface Water Worksheet
Download
advertisement