Honeypot 서울과학기술대학교 Jeilyn Molina 121336101 Definition Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak or vulnerable systems to attack. It is a security tool used to collect information on the attackers and their techniques. Purpoce Honeypots can distract the attackers of the most important machines in the system and quickly alert the system administrator of an attack, and allows in-depth examination of the attacker, during and after the attack on the honeypot. Types of Honeypots ● Production honeypots Are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. ● Research honeypots Are run to gather information about the motives and tactics of the attackers community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations. Types of Honeypots ● Low-interaction honeypots Simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems. Types of Honeypots ● Medium-interaction These kind of honeypots do not aim at fully simulating a fully operational system environment, they provide sufficient responses that known exploits await on certain ports that will trick them into sending their payload. The Honeypot can then download the Malware from the serving location and store it locally or submit it somewhere else for analysis. Types of Honeypots ● High-interaction honeypots Imitate the activities of the real systems that host a variety of services and the attacker may be allowed a lot of services to waste his time. In general, high interaction honeypots provide more security by being difficult to detect, but they are highly expensive to maintain. By employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. If virtual machines are not available, one honeypot must be maintained for each physical computer. Placement of Honeypot • External honeypots This is the easiest setup for single personal, home-based and research honeypots. With external placement, there is no firewall in front of the honeypot. The honeypot and production network share the same public IP address subnet. Placement of Honeypot • Internal Honeypots This placement is the best way to create an early-warning system to alert you to any external exploits that have made it past your other network defenses and catch internal threats at the same time. Honeynet A typical honeynet consists of multiple honeypots and a firewall (or firewalled-bridge) to limit and log network traffic. Is often used to watch for potential attacks and decode and store network traffic on the preliminary system. Virtual honeypot • Virtual honeypot uses application software to create a new, separate operating system environment. • The virtual host actually uses or shares that same hardware as the physical OS does. • Instead of using different hardware for each host, many different virtual servers may be contained on one piece of hardware. How it Works?? • Bait The simplest use for a honeypot is to act as bait. If a hacker or malicious program will attempt to target your computer, then a honeypot can be set up as bait. For instance, a hacker that liked to cause mischief in file transfer programs. You would set up a honeypot to act as a dummy file transfer program, and your computer would direct the hacker to the honeypot. • Monitor Another use for a honeypot is as a monitor. Then you check on it periodically and read the logs to see if there's been any activity. While the honeypot's purpose of being a distraction hasn't changed, you're now using it as an active security monitor, rather than as a passive lure to suck malicious programs and computer users off course and into a place where they can't do any real harm to your system. • Information Gathering A honeypot also has the potential to get a hacker to betray herself throughout her interaction with it. By observing how the hacker works, what programs they attempt to use and even where the hacker's connection is coming from. A honeypot may give you enough information to back track the hacker and to find out who they are and where they're operating from. Value of the Honeynet • Defends organization and react • Provide an organization information on their own risk • Determine system compromised within production network • Risks and vulnerabilities discovered • Specially for research http://map.honeycloud.net/ References http://www.honeynet.org http://map.honeycloud.net http://www.seguridad.unam.mx http://www.tracking-hackers.com http://security.rbaumann.net/download/whitepaper.pdf http://www.sersc.org/journals/IJSIA/vol5_no1_2011/3.pdf Questions??