PowerPoint ******

advertisement
Honeypot
서울과학기술대학교
Jeilyn Molina
121336101
Definition
Honeypot is the software or set of computers that are
intended to attract attackers, pretending to be weak or
vulnerable systems to attack. It is a security tool used to
collect information on the attackers and their techniques.
Purpoce
Honeypots can distract the attackers of the most important
machines in the system and quickly alert the system
administrator of an attack, and allows in-depth examination
of the attacker, during and after the attack on the honeypot.
Types of Honeypots
●
Production honeypots
Are easy to use, capture only limited information, and are used primarily by
companies or corporations; Production honeypots are placed inside the production
network with other production servers by an organization to improve their overall
state of security. Normally, production honeypots are low-interaction honeypots,
which are easier to deploy.
●
Research honeypots
Are run to gather information about the motives and tactics of the attackers
community targeting different networks.
These honeypots do not add direct value to a specific organization; instead, they are
used to research the threats organizations face and to learn how to better protect
against those threats. Research honeypots are complex to deploy and maintain,
capture extensive information, and are used primarily by research, military, or
government organizations.
Types of Honeypots
●
Low-interaction honeypots
Simulate only the services frequently requested by attackers. Since they consume
relatively few resources, multiple virtual machines can easily be hosted on one
physical system, the virtual systems have a short response time, and less code is
required, reducing the complexity of the security of the virtual systems.
Types of Honeypots
●
Medium-interaction
These kind of honeypots do not aim at fully simulating a fully operational system
environment, they provide sufficient responses that known exploits await on certain ports
that will trick them into sending their
payload.
The Honeypot can then download the Malware from the serving location and store it
locally or submit it somewhere else for analysis.
Types of Honeypots
●
High-interaction honeypots
Imitate the activities of the real systems that host a variety of services and the
attacker may be allowed a lot of services to waste his time.
In general, high interaction honeypots provide more security by being difficult to
detect, but they are highly expensive to maintain.
By employing virtual machines, multiple honeypots can be hosted on a single
physical machine. Therefore, even if the honeypot is compromised, it can be
restored more quickly. If virtual machines are not available, one honeypot must
be maintained for each physical computer.
Placement of Honeypot
• External honeypots
This is the easiest setup for single personal, home-based and research honeypots.
With external placement, there is no firewall in front of the honeypot. The
honeypot and production network share the same public IP address subnet.
Placement of Honeypot
• Internal Honeypots
This placement is the best way to create an early-warning system to alert
you to any external exploits that have made it past your other network
defenses and catch internal threats at the same time.
Honeynet
A typical honeynet consists of multiple honeypots and a firewall (or
firewalled-bridge) to limit and log network traffic.
Is often used to watch for potential attacks and decode and store network
traffic on the preliminary system.
Virtual honeypot
• Virtual honeypot uses application software to create a new, separate
operating system environment.
• The virtual host actually uses or shares that same hardware as the
physical OS does.
• Instead of using different hardware for each host, many different
virtual servers may be contained on one piece of hardware.
How it Works??
• Bait
The simplest use for a honeypot is to act as bait. If a hacker or malicious
program will attempt to target your computer, then a honeypot can be set up as
bait.
For instance, a hacker that liked to cause mischief in file transfer programs.
You would set up a honeypot to act as a dummy file transfer program, and your
computer would direct the hacker to the honeypot.
• Monitor
Another use for a honeypot is as a monitor.
Then you check on it periodically and read the logs to see if there's been any
activity.
While the honeypot's purpose of being a distraction hasn't changed, you're now
using it as an active security monitor, rather than as a passive lure to suck
malicious programs and computer users off course and into a place where they
can't do any real harm to your system.
• Information Gathering
A honeypot also has the potential to get a hacker to betray herself throughout
her interaction with it.
By observing how the hacker works, what programs they attempt to use and even
where the hacker's connection is coming from. A honeypot may give you enough
information to back track the hacker and to find out who they are and where
they're operating from.
Value of the Honeynet
• Defends organization and react
• Provide an organization information on their own risk
• Determine system compromised within production
network
• Risks and vulnerabilities discovered
• Specially for research
http://map.honeycloud.net/
References
http://www.honeynet.org
http://map.honeycloud.net
http://www.seguridad.unam.mx
http://www.tracking-hackers.com
http://security.rbaumann.net/download/whitepaper.pdf
http://www.sersc.org/journals/IJSIA/vol5_no1_2011/3.pdf
Questions??
Download