Honeypots_FinalFinalCopy-Edited
advertisement
CHAPTER 15 Honeypots Taking the Offensive in Network Security Turner, Michael P. Image of Honeypot by Mark Fruhwirth The purpose of this paper is to inform any interested party about the basics of honeypots and honeynets. The information used in this paper is comprised of research gathered by me from various sources which are cited below. Most of the content written in this paper is paraphrased or taken directly from these cited sources. What are Honeypots? In modern times, security of digital information is a major concern. Most strategies for security are defensive strategies but the approach to a deceptive and almost offensive strategy is increasing. This strategy that is steadily becoming more popular is the use of a decoy based system called a honeypot. So what are Honeypots? According to Honeypots.net, “honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attacks and exploitation trends and they allow indepth examination of adversaries during and after exploitation of a honeypot.” (honeypots.net) The truth is that most people don’t believe or even know that their machines are targets for cyber attackers. They don’t realize that there are many people out there trying to access their machines and think the odds of their machine being compromised are nil. Unfortunately there are people out there everywhere that are deliberately cracking into systems every day and eventually most systems will have had someone try and gain unauthorized access to it; basically, everyone is a target. Even though we’d like to believe that these people don’t exist, they do and the worth of a honeypot strictly depends on these people interacting with it. Honeypots can be a sweet and enticing trap to people of this nature. Basically, honeypots are mock information servers deliberately positioned in a test network, which are fed with false information disguised as files of a classified nature. In turn, servers are initially configured in a way that is complicated but definitely possible to break into by an attacker; exposing them deliberately and making them highly attractive for a hacker in search of a target. (Spitzner, Honeypots: Tracking Hackers, 2003) Figure 15.1 - Image of a network with honeypots (Information Technology Specialty) The main functions of Honeypots are as follows (Hernandez y Lopez & Resendez): - “To divert the attention of the attacker from the real network, in a way that the main information resources are not comprised - To capture new viruses or worms for future study - To build attacker profiles in order to identify their preferred attack methods, similar to criminal profiles used by law enforcement agencies in order to identify a criminal’s modus operandi. - To identify new vulnerabilities and risks of various operating systems, environments and programs which are not thoroughly identified at the moment” Levels of Interaction There are typically 3 levels of interaction for honeypots: low, medium and high interaction honeypots. These levels of interaction give us a scale to measure and compare them by. Some honeypots emulate few services such as FTP or Telnet and some honeypots are actual systems with a complete operating system and full applications. Below is a table that demonstrates the tradeoffs between the level of interaction, the workload necessary to maintain the honeypot and level of risk. Level of Interaction Work to Work to Information Install and Deploy and Gathering Configure Maintain Low Easy Easy Limited Medium Involved Involved Variable High Difficult Difficult Extensive Table 15.1 - (Spitzner, Honeypots: Tracking Hackers, 2003) Level of Risk Low Medium High As you can see, low interaction honeypots are easy to configure and take care of but they gather only limited information. High interaction honeypots are difficult to configure and maintain but they gather vast amounts of information pertaining to the attacker. Low interaction Honeypots Low interaction honeypots are the easiest to install. They usually emulate an operating system’s services, limiting the attacker’s activities. Simplicity is the key factor when deciding to use this type of honeypot because they are easy to use and easy to maintain. Another advantage is that there is minimal risk with this type of honeypot. (Hernandez y Lopez & Resendez) The reason these honeypots are called low interaction is because the attacker can only do so much when attempting to compromise this type of honeypot. An example of a low interaction honeypot is an attacker tries to Telnet into the honeypot; he/she gets a banner stating the operating system and even possibly obtains a login prompt. The attacker can then attempt to login by guessing the password, using a brute force password cracker or using whatever method desired. The honeypot captures and collects the login attempts but there is no actual operating system for the attacker to log on to. This limits the attacker to strictly login attempts and there is nothing more that the attacker can do. This also means that the data collected from the honeypot is limited to detection of unauthorized scan attempts and connections by an attacker. (Spitzner, Honeypots: Tracking Hackers, 2003) Although the emulated services of a low interaction honeypot only gather limited information there is an advantage to the attacker’s restricted activity; it alleviates the risk of the attacker accessing an actual operating system and using that as a platform to attack and harm others. A disadvantage is that a skilled attacker may become privy to the false system, realizing what it actually is. (Spitzner, Honeypots: Definitions and Value of Honeypots) These types of honeypots are often used as production honeypots or honeypots used as a decoy to sort of lure an attacker away from an organization’s actual systems. Honeyd or Specter may be considered examples of low interaction honeypot software. Medium Interaction Honeypots Medium interaction honeypots offer attackers more ability to interact than do low interaction honeypots but less functionality than high interaction solutions (Spitzner, Honeypots: Tracking Hackers, 2003). “A medium-interaction honeypot will more fully implement the HTTP protocol to imitate a wellknown vendor's implementation, such as Apache” (Peter & Schiller). Much like the low interaction honeypot, this type of honeypot usually only provides a restricted operation of services and there is no actual operating system for the attacker to compromise. In some cases a medium interaction honeypot is used as a jail or chroot. “A chroot (jail) is a UNIX feature that creates a limited sandbox allowing a process to view only a single subtree of the filesystem” (Haas). By creating a virtual OS, this allows an administrator to partition an operating system environment within a real operating system. Although the virtual OS is controlled by the actual operating system it gives the look and atmosphere of a legitimate operating system. This allows for the security admin to heavily monitor and control the attacker’s activities from the master OS. (Spitzner, Honeypots: Tracking Hackers, 2003) Mid interaction level honeypots, although similar to low interaction ones, are more time consuming to install and configure because they involve a high level of customization and development. More modifications are needed in order to emulate a system such as a web server and usually these types of honeypots are not prepackaged commercial products. (Spitzner, Honeypots: Tracking Hackers, 2003) Nepenthes may be considered a version of low - medium interaction level honeypot software. High Interaction Honeypots These honeypots are much more complex than the other two because they consist of using an actual machine instead of using software that emulates services. “For example, if a Honeypot needs to be implemented on a real Linux system running an FTP server, a real Linux system needs to be built on a real computer and a real FTP server will need to be configured.” (Hernandez y Lopez & Resendez) A standard build for a high interaction honeypot is no different than a production honeypot used in an organization. Basically, the one thing that separates them from a production system is that the value in these machines relies on them being probed, attacked or compromised (Spitzner, Honeypots: Tracking Hackers, 2003). Although there is no data of significance, the risk is high with high interaction honeypots because once they are compromised an attacker can still use it as a platform to attack other machines. This requires much more work and involvement from a system admin to alleviate any risks. These types of honeypots require the assistance of other defensive technologies such as firewalls and IDS’s, intrusion detection systems. High interaction honeypots are usually placed within a controlled environment behind a firewall or in more modern versions of honeypots, a honeywall. A honeywall is basically a gateway to and from a honeynet, “but it is also a firewall, an IPS (Intrusion Prevention System), and a network traffic/system logger” (Diego, 2004). All traffic entering or leaving the honeynet must go through this honeywall (Spitzner, Know Your Enemy: GenII Honeynets, last modified - 2005). The ability to control and limit the attacker would come from a network access control device such as the honeywall itself and not from the honeypot. The firewall or honeywall would be used to let the attacker compromise the system but not let him/her launch attacks back out which makes it complicated to deploy and maintain. (Spitzner, Honeypots: Tracking Hackers, 2003) With the attacker being allowed access to an actual system and having so much freedom inside the system the risk is extremely high. Lots of dedicated work goes into deploying and maintaining these types of honeypots requiring constant attention and monitoring of the system. The advantage of giving the intruder so much freedom is that the amount of information gathered from the attack is extensive. One can observe every action taken by the attacker such as what kind of information they are looking for, what exploits they used to compromise the system, their every keystroke, where the attack came from and when, information on the skill level and behavior of the intruder, etc. The amount of information gathered is often worth the risk. These types of honeypots are most often used as research honeypots. Why are Honeypots Important? The first actual documented case of a honeypot being used to capture a previously unknown exploit happened on January 8, 2002 by a Solaris honeypot. Solaris is a UNIX operating system originally developed by Sun Microsystems. This Solaris honeypot captured a dtspcd exploit, an attack that had never been seen before. Dtspcd, or the CDE Sub-process Control Service, was a known vulnerable process among the security community but there was no known exploit for it, or so it was assumed. Apparently in the Blackhat Community, a community of unethical cyber attackers, there was an exploit and it was found when someone used it to gain remote access to this Solaris honeypot. Based upon the information gathered from the honeypot, the Computer Emergency Readiness Team (CERT) was able to release a warning to the security community. This validates the importance of honeypots, not only catching already known attacks like worms but also catching and exposing unknown cyber assaults. (Spitzner, Honeypots: Tracking Hackers, 2003) Everyone has an idea of what a honeypot is. Some believe it is a deception tool, some believe its purpose is to lure intruders, and some think it’s some sort of IDS. The example in the paragraph above is just one of the many useful things honeypots can be used for. Most systems like a firewall or an IDS (Intrusion Detection System) have one main purpose. A firewall blocks unauthorized network traffic and an IDS detects unauthorized access. Honeypots are different in that they aren’t used to solve a single specific problem. Like firewalls, honeypots can be used to deter attacks; like an IDS, they can be used to detect attacks; they can be used to capture and analyze automated attacks like worms or act like early warning sensors; and they also give you the ability to research the blackhat community by capturing keystrokes and conversations of attackers. A honeypot is a tool that contributes to the overall security architecture and depending how you build it, can be used for a variety of different reasons. (Spitzner, Honeypots: Tracking Hackers, 2003) Production Honeypots and Research Honeypots The type of honeypot you are using has very much to do with the reasoning behind deploying it. Honeypots are mainly deployed as 2 different types; production honeypots and research honeypots. A honeypot used more as a decoy with minimal functionality and a low interaction level would be deployed as a production honeypot, whereas a honeypot made from an actual operating system used to gain information about an attacker and their behavior with a high interaction level would most likely be deployed for research. Production Honeypots This is the most common type of honeypot. Companies, businesses and institutions use honeypots in this way to protect themselves from being attacked by luring the attacker elsewhere. Production Honeypots don’t require as much functionality as research honeypots and are easier to build and deploy. (Iyatiti Mokube, Honeypots: Concepts, Approaches and Challenges) Also because they have less functionality, they also give less information about the intruder who enters the honeypot. These types of honeypots usually reflect the image of a company’s actual servers or workstations and so help organizations to become aware of current vulnerabilities in their actual systems. This allows the network admins of an organization to patch up any holes before they are exploited and build up a better defense against future attacks. Figure 15.2 - Image of a Production Honeypot (Grimes) Research Honeypots These types of honeypots are not intended to assist in protecting networks, but more so used by organizations such as: universities, governments, the military or large corporations interested in learning more about threats research, to study attack patterns and the behavior of crackers in the blackhat community. These types of honeypots capture extensive amounts of data and are complex to both deploy and maintain (Iyatit Mokube, Honeypots: Concepts…). By logging and gathering information as the attacker invades a research honeypot researchers are able to study what tools and methods they use to gain access, understand their logic and reasoning for breaking in, and track patterns for the purpose of helping network admins strengthen network security. Most research honeypots consist of multiple honeypots called a honeynet. These multiple honeypots are created for the purpose of imitating an entire production system. Figure 15.3 - Image of a Honeynet (HoneyNet Research Project) Here’s a link to a compromised honeypot with analysis. - http://www.packetfu.org/hpa.html What are Honeynets? A honeynet is a network of one or more high interaction honeypots, imitating an actual network of production systems, which are heavily monitored and used as bait for crackers. (Spitzner, Know Your Enemy: Honeynets, Last modified - 2006) These honeynets are used mainly for research in order to learn about new attacks and intruder behavior. “In many ways a honeynet is like a fishbowl. You create an environment where you can watch everything happening inside it. However, instead of putting rocks, coral, and sea weed in your fish bowl, you put Linux DNS servers, HP printers, and Juniper routers in your honeynet architecture. Just as a fish interacts with the elements in your fishbowl, intruders interact with your honeypots.” (Spitzner, Know Your Enemy: Honeynets, Last modified - 2006) Honeynet Project A lot of attention is focused on the research honeypots and honeynets. One example is the Honeynet project. The Honeynet Project is a “non-profit security research organization dedicated to investigating attacks and developing open source security tools to improve Internet security.” There are volunteers who have created chapters all around the world helping to fight against blackhats by “discovering new attacks; creating tools for organizations, businesses and government agencies all over the world;” and educating the public about threats to information systems across the globe. (The Honeynet Project) Here’s a link to their website for more information. - https://www.honeynet.org/about Project Honey Pot “Project Honey Pot is a distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system a person can install addresses that are custom-tagged to the time and IP address of a visitor to their site. If one of these addresses begins receiving email, Project Honey Pot tells if messages are spam and also the exact moment when the address was harvested and the IP address that gathered it.” (Project Honeypot) Here’s a link to Project Honey Pot’s website for more information - http://www.projecthoneypot.org/about_us.php Origin and Evolution of Honeypots History of Honeypots (Spitzner, Honeypots: Tracking Hackers, 2003) - “Before 1990 - The concepts of honeypots may have been used but they were not yet called honeypots and there isn’t much documentation of their use. 1990/1991 – First public works documenting honeypot concepts – Clifford Stoll’s “The Cuckoo’s Egg” and Bill Cheswick’s “An Evening with Berferd.” 1997 – Version 0.1 of Fred Cohen’s Deception Toolkit was released, one of the first honeypot solutions available to the security community. - - - 1998 - Development began on CyberCop Sting, one of the first commercial honeypots sold to the public. CyberCop Sting introduces the concept of multiple, virtual systems bound to a single honeypot. Marty Roesch and GTE Internetworking begin development on a honeypot solution that eventually becomes NetFacade. This work also begins the concept of Snort. 1998 – BackOfficer Friendly is released – a free, simple to use Windows based honeypot that introduced many people to honeypot concepts. 1999 – Formation of the Honeynet Project and publication of the “Know Your Enemy” series of papers. This work helped increase awareness and validate the value of honeypots and honeypot technologies. 2000/2001 – Use of the honeypots to capture and study worm activity. More organizations adopting honeypots for both detecting attacks and for researching new threats. 2002 – A honeypot is used to detect and capture in the wild a new an unknown attack, specifically the Solaris dtspcd exploit.” 2004 – Virtual honeypots were introduced which allow multiple honeypots to run on a single server. (Peter & Schiller) Policies and Procedures [Provided by Rajani Gunda] Honeypot Policies 1. Role of honeypot in network security 2. Secure usage of honeypot 3. Security Gateway 4. Prevention, detection and response of honeypot 5. Dark IP addresses Role of honeypot in Network security: This could be used in various research projects. Honey net is participating in network security. Security Gateway: All web administrators should monitor the security gateways. Set up secure shell server on non-standard port. Nessus scan is effective scan could find out the malicious holes on the system. Nessus scan will give the graphs and reports for particular IP. Secure usage of Honeypot: Compromised honeypot on the machines cannot be touched by the third parties. It will give hard times to the attackers and involved to find the new threats. This will block the malicious attackers. Prevention, detection and response of Honeypot: Honey pot securities is divided in to three sections such as Prevention, detection and response Prevention: The primary theme of this prevention is just keep out malicious hacker from the attack. Firewall should be well patched. Targets are indefinable; So Honeypots can detect the attacks but cannot prevent them. If malicious hacker directly attacks on the server, honeypot will prevent the attack form the malicious hacker. Honeypot can distract hacker’s mind on different objectives but it could not prevent the attack except in direct attack from malicious hacker. Detection: Intrusion in networks could be detected by the alarming system like house alarm would work. Some programs would be designed to watch the system logs and those could be trigger or alarm if any unauthorized person enters in to the network. Sometimes it might give false alarms, due to high network traffic on most networks. All data could not be processed by the systems, so there is a chance of dropping of some packets. So above kind of reasons could benefits to the attacker. Response: If any honeypot attack is detected in the past, document it to provide protection from future attacks. Security policies established by the security institutions, if any employee violates these rules, there should provide some proper reasons to the administration. Suspicious packets could be recorded for analysis, to make evaluation process easier. Dark IP addresses: Some IP address should not use or reserved for the public use. These IP addresses database maintained by the IANA (Internet assigned numbers authority). Many Institutions are provided with some IP addresses range, some of which are not used at all. This inactive IP addresses called dark IP addresses. If packet sent to the dark IP addresses, it may lead to the possible attack. If packet sent to dark IP addresses, those are could divide as different attacks such as, i) Scanning/ malicious ii) Broken/ misconfigured iii) Backscatter. If we avoid the misconfigured traffic, we can reduce the false alarms. Backscatter is very dangers and we couldn’t find the actual victim, and it is reflection of packets. Because this relates to electromagnetic waves such as reflection of light, radar, radio, Attacker scan the computer, and disclose his IP address by performing multiple scan with false IP addresses. ICMP packets routed as false IP addresses. Analysis of worms and internet threat could be monitored by the backscatter project. Business Continuity Planning [Provided by Anthony Maziur] Honeypots will help with business continuity by directing the attacker to a fake network setup so that they will not harm any of the company’s files or data. Honeypots are used to divert the attacker from the actual network, can capture information for the administrator to study and make corrections to. Not only does this divert the attacker, but it collects data so that a “profile” is built about the previous attack attempts. By studying these profiles, the person/people in charge of the network can ensure that the network is running at proper capacity 100% of the time and keep business activity normal as usual. Since BCP is an ongoing process as stressed before, the network administrator can review the data and can make changes to the contingency plan as needed. This process should be conducted regularly in order to stay on top of the constant potential threats of having the data compromised Works Cited (n.d.). Retrieved from The Honeynet Project: https://www.honeynet.org/ (n.d.). Retrieved from Project Honeypot: http://www.projecthoneypot.org/index.php (n.d.). Retrieved from HoneyNet Research Project: http://www.muscetta.org/research/honeynet/index.php Ahmad , A., Ali, M., & Mustafa, J. (n.d.). Benefits of Honeypots in Education Sector. Retrieved from http://paper.ijcsns.org/07_book/201110/20111004.pdf Barnett, R. C. (n.d.). Welcome to Honeypots: Monitoring and Forensics. Retrieved from http://honeypots.sourceforge.net/ Cohen, F., Lambert, D., Preston, C., Berry, N., Stewart, C., & Thomas, E. (n.d.). A Framework of Deception. Retrieved from http://www.all.net/journal/deception/Framework/Framework.html Cooper, M. (2002, April). Baby Steps with a Honeypot. Retrieved from http://www.mhconline.co.uk/babysteps.htm Diego, D. G. (2004). Building a GenII Honeynet Gateway. Madrid, Spain. Retrieved from http://www.honeynet.org.es/papers/honeywall/ Dornseif, M., Gartner, F., & Holtz, T. (2004). Vulnerability Assessment Using Honeypots. Forte, D. (n.d.). Part II: Honeypots in Detail: the Variations. Grimes, R. A. (n.d.). Attracting Hackers, Pic2. Retrieved from Flylib.com: http://flylib.com/books/en/1.48.1.20/1/ Gupta, A., Gupta, S., Ganesh, I., Gupta, P., Goyal, V., & Sabharwal, S. (2010). Opaqueness Characteristic of a Context Honeypot System. Information Security Journal: A Global Perspective. Haas, J. (n.d.). Chroot (Jail). Retrieved from About.Com: http://linux.about.com/cs/linux101/g/chrootlparjailr.htm Hernandez y Lopez, M., & Resendez, C. F. (n.d.). Honeypots: Basic Concepts, Classification and Educational Use as Resources in Information Security Education and Courses. Retrieved from http://proceedings.informingscience.org/InSITE2008/InSITE08p069-076Hernan422.pdf honeypots.net. (n.d.). Intrusion Detection, Honeypots and Incident Handling Resources. Retrieved from http://www.honeypots.net/ Information Technology Specialty. (n.d.). Retrieved from Civil Air Patrol & U.S. Air Force Auxiliary Information Technology: http://minisite.sercap.us/page10563289.aspx Mahajan, S. (n.d.). Honeypots. Retrieved from Hacking Begins: http://www.hackingbegins.com/2011/07/honeypots.html McMullen, J. F. (2001, April 12). Get IT Done: Enhance intrusion detection with a honeypot. Retrieved from http://www.techrepublic.com/article/get-it-done-enhance-intrusion-detection-with-ahoneypot/1042983 Mokube, I., & Adams, M. (2007, March). Honeypots: Concepts, Approaches, and Challenges. WinstonSalem, North Carolina, US. Retrieved from http://cs.millersville.edu/~csweb/lib/userfiles/honeypot.pdf Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to Computer Forensics and Investigations. Course Technology, Cengage Learning. Pappas, N. (2008, April 2). Network IDS & IPS Deployment Strategies. Peter, E., & Schiller, T. (n.d.). A Practical Guide to Honeypots. Retrieved from http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/index.html Ranum, M. J. (n.d.). A Whirlwind Introduction to Honeypots. Retrieved from http://www.certconf.org/presentations/2002/Tracks2002Expert_files/HE-1&2.pdf Reining, C. J. (n.d.). Analysis of a Compromised Honeypot. Retrieved from http://www.packetfu.org/hpa.html Rousse, M. (n.d.). Retrieved from SearchSecurity.techtarget.com: http://searchsecurity.techtarget.com/definition/honey-pot Spitzner, L. (1999). Build a Honeypot. Retrieved from http://www.spitzner.net/honeypot.html Spitzner, L. (2003). Honeypots: Tracking Hackers. Addison-Wesley. Spitzner, L. (2010). Honeypots: Are They Illegal? Retrieved from http://www.symantec.com/connect/articles/honeypots-are-they-illegal Spitzner, L. (n.d.). Honeypots: Definitions and Value of Honeypots. Retrieved from http://www.trackinghackers.com/papers/honeypots.html Spitzner, L. (last modified - 2005, May 12). Know Your Enemy: GenII Honeynets. Spitzner, L. (Last modified - 2006). Know Your Enemy: Honeynets. Retrieved from http://old.honeynet.org/papers/honeynet/ unknown. (n.d.). Honeypots - Not just sticking to research. Waldon Dr., I., & Flanagan, A. (2003). Honeypots: A Sticky Legal Landscape? Rutgers Computer and Technology Law Journal, 1-53. Wikipedia. (n.d.). Honeypot (Computing). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Honeypot_(computing)
