Honeypots
An additional layer of security
By Gary Madzudzo
What are Honeypot?
What are Honeypots
 A security resource who’s value lies in the
unauthorized or malicious interaction with it.
 A deception trap, designed to entice an attacker into
attempting to compromise an organization's
information system.
What are Honeypots?
 More generally a honeypot is a trap set to deflect or
detect attempts at unauthorized use of information
systems.
 Used for monitoring, detecting and analyzing attacks.
 Early warning and advanced security surveillance tool.
 Does not solve a specific problem. Instead, they are a
highly flexible tool with different applications to
security.
Their Value
 Primary value of honeypots is to collect information.
 This information is then used to better identify,
understand and protect against threats.
 Honeypots add little direct value to protecting your
network.
Why Honeypots
Security personnel and the IT industry depend on honeypots
 Honey pots are used to:






Build anti-virus signature
Build SPAM signatures and filters
Identify compromised systems
Assist law-enforcement to track criminals
Hunt and shutdown botnets
Malware collection and analysis
Problems
 Internet security is hard
 New attacks every day.
 Our computers are static targets.
 What should we do?
 The more you know about your enemy, the better
you can protect yourself.
 Fake target?
Uses of Honeypots
 Preventing attacks
 Automated attacks (e.g. worm)
 Attackers randomly scan entire network and find vulnerable systems
 Sticky honeypots, monitor unused IP spaces and slow down the attacker
when probed
 Used a variety of TCP tricks, such as using a zero window size
 Human attacks
 Use deception/deterrence
 Confuse the attackers, making them waste their time and resources
 If the attacker knows your network has honeypot, he may not attack
the network
Uses of Honeypots
 Detecting attacks
 Traditional IDS’s generate too much logs, large percentage
of false positives and false negatives.
 Honeypots generate small data, reduce both false positives
and false negatives.
 Traditional IDS’s fail to detect new kinds of attacks,
honeypots can detect new attacks.
 Traditional IDS’s may be ineffective in an IPv6 or encrypted
environment.
Uses of Honeypots
 Responding to attacks
 Responding to a failure/attack requires in-depth
information about the attacker.
 If a production system is hacked (e.g. mail server) it can’t
be brought offline for analysis.
 Besides, there may be too much data to analyse, which
will be difficult and time-consuming.
 Honeypots can be easily brought offline for analysis.
 Besides, the only information captured by the honeypot
is related to the attack, therefore easy to analyse.
Types
 Honeypots come in two flavors:
 Low-interaction
 High-interaction
 Interaction measures the amount of activity that an
intruder may have with a honeypot.
Some Honeypot Examples






Nepenthes
Honeyd
Honeytrap
Web Applications
KFSensor
Backofficer friendly
Classification
 By level of interaction
 High
 Low
 By Implementation
 Virtual
 Physical
 By purpose
 Production
 Research
By Classification - Production
 A production honeypot is used for risk mitigation.
 Most production honeypots are emulations of specific
operating systems or services.
 Help to protect a network and systems against attacks
generated by automated tools used to randomly look
for and take over vulnerable systems.
By Classification - Research
 Real operating systems and services that attackers can
interact with.
 Collect extensive information and intelligence on new
attack techniques and methods.
 Provide a more accurate picture of the types of attacks
being perpetrated.
 Provide improved attack prevention, detection and
reaction information.
Level of Interaction
Low
Fake Daemon
Medium
Operating system
Disk
High
Other local
resource
By Classification – Low level
Interaction
 Also known as GEN-I honeypot
 Beginner level attacks
 Simulates some aspects of the system
 Easy to deploy, minimal risk
 Limited Information
Low Interaction Server
 Software that emulates a functionality, services,
applications and OS’s.
 Easier to deploy and automate, less risk, but
customized to more specific attacks.
 Capture limited information: attackers’ activities are
contained to what the emulated system allows.
Low Interaction - Honeyd
 Honeyd: A virtual honeypot application, which allows us to
create thousands of IP addresses with virtual machines and
corresponding network services.
 It’s a GEN-I honeypot which emulates services and their
responses for typical network functions from a single
machine.
 Making the intruder believe that there are numerous different
operating systems.
 Monitors unused IP space.
 Can monitor literally millions of IP addresses at the same time.
Honeyd monitoring unused IPs
By Classification – High level
Interaction
 A high-interaction honeypot consists of : resource of
interest, data control, data capture and external logs.
 More complex to deploy and maintain in comparison to
low-interaction honeypots.
 Very useful in their ability to identify vulnerable services
and applications for a particular target operating
system.
High Interaction Server
 Typically real applications on real systems. Much
more manual work, but more flexible in the data and
threats it can capture.
 Real services, applications and OS’s.
 Capture extensive information, but high risk and time
intensive to maintain.
 Can capture new, unknown or unexpected behaviour.
High Level - Honeynet
Honeynet - two or more honeypots on a network form a
honeynet.
 Design to capture in-depth information.
 Its an architecture populated with live systems.
 Used for monitoring and/or more diverse network in which
one honeypot may not be sufficient.
 Honeynets (and honeypots) are usually implemented as parts
of larger network intrusion-detection systems.
 Their primary value lies in research, gaining information on
threats.
Gen II Honeynet
Client Based Honeypots
Threats change, and so to do the technologies. Bad
guys have moved to client based attacks, they let the
victims come to them.
 Capture-HPC (high interaction)
 HoneyC (low interaction)
 Microsoft Strider Honeymonkey
Wireless Honeypots
Wireless Honeypots
Fake AP
 A script that emits spoofed probe responses into the
air in an effort to mislead any war drivers.
 The script is tied into the wireless card and dynamically
changes the SSID, MAC address, channel, signal
strength to make it looks like numerous wireless
networks are operating in the area.
 This technique is not useful for more skilled hackers
who can recognised the method and focus on the valid
network.
Wireless Honeypots
 The wireless honeypot takes the non-interactive fake AP
and creates a seemingly valid environment that looks and
acts like a real wireless networks. This gives hackers
nothing but practice.
 Such honeypots includes APs, emulated client traffic,
monitors for data collection and maybe a valid
infrastructure if he honeypot owner needs to collect data
on deeper penetration techniques.
Building a Honeypot
 To build a honeypot, a set of Virtual Machines are
created.
 They are then setup on a private network with the
host operating system.
 To facilitate data control, a stateful firewall such as IP
Tables can be used to log connections.
 The final step is data capture, for which tools such as
Sebek and Term Log can be used.
 Analysis on the data can be performed using tools
such as Honey Inspector, PrivMsg and SleuthKi.
Deployment
 Install honeypots alongside regular production servers The honeypot will likely need to mirror some real data and
services from the production servers in order to attract
attackers.
 Pair each server with a honeypot, and direct suspicious
traffic destined for the server to the honeypot.
 Build a honeynet, which is a network of honeypots that
imitate and replicate an actual or fictitious network.
Advantages of using Honeypots
 Collect small amounts of information that have great value
and easier to analyse.
 Capture any activity and can work in encrypted networks.
 Can lure the intruders very easily.
 Are relatively simple to create and maintain.
 Work with IPv6.
 Can be used in a variety of environments.
 Reduce false positives and negatives.
 Require minimal resources.
Disadvantages of using Honeypots






Add complexity to the network.
Have limited field of view.
Only see what interacts with them.
There is also a level of risk to consider.
Can’t be used to detect attacks on other systems.
Attacker may take over the honeypot and use it to
attack other systems.
 It is an expensive resource for some corporations.
Conclusion
 Honeypots are positioned to become a key tool to defend
corporate enterprises from hacker attacks.
 Honeypots are not a solution, they are a flexible tool with
different applications to security.
 Although honeypots have legal issues now, they do
provide beneficial information regarding the security of a
network.
 This will help to solve current challenges and make it
possible to use honeypots for the benefit of the broader
internet community.
Summary Video
http://www.youtube.com/watch?v=76iHn5MH2IY