Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 - - PowerPoint PPT Presentation

honeypots
SMART_READER_LITE
LIVE PREVIEW

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 - - PowerPoint PPT Presentation

Oct 21, 2023 22 likes •636 views

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

slide-1
SLIDE 1

Honeypots

Mathias Gibbens Harsha vardhan Rajendran April 22, 2012

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28

slide-2
SLIDE 2

Outline

1

Introduction

2

History

3

Types of honeypots

4

Deception techniques using Honeypots

5

Honeyd

6

Service-specific honeypots

7

Deployment strategies

8

Pros / Cons

9

Real life uses

10 Improvements 11 Conclusion

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 2 / 28

slide-3
SLIDE 3

Introduction

1 What is a honeypot? Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 3 / 28

slide-4
SLIDE 4

Introduction

1 What is a honeypot? 2 What are the uses for a honeypot? Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 3 / 28

slide-5
SLIDE 5

Introduction

Figure: The key characters in our drama.

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 4 / 28

slide-6
SLIDE 6

Introduction

1 Example of a logged attack: http://goo.gl/phnI3 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 5 / 28

slide-7
SLIDE 7

History

1 Origin of the name Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28

slide-8
SLIDE 8

History

1 Origin of the name 2 Early manual entrapment by the Military Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28

slide-9
SLIDE 9

History

1 Origin of the name 2 Early manual entrapment by the Military 3 Cheswick at AT&T Bell

“I wanted to watch the cracker’s keystrokes, to trace him, learn his techniques, and warn his victims. The best solution was to lure him to a sacrificial machine and tap the connection. ... Though the Jail was an interesting and educational exercise, it was not worth the

  • effort. It is too hard to get it right, and never quite secure. A better

arrangement involves a throwaway machine with real security holes, and a monitoring machine on the same Ethernet to capture the bytes.”

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 6 / 28

slide-10
SLIDE 10

History

Figure: Honeypot development milestones.

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 7 / 28

slide-11
SLIDE 11

Types of honeypots

1 There are many ways to classify honeypots Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28

slide-12
SLIDE 12

Types of honeypots

1 There are many ways to classify honeypots 2 The most common is by the amount of interaction provided to the

malicious user: high, medium, or low

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28

slide-13
SLIDE 13

Types of honeypots

1 There are many ways to classify honeypots 2 The most common is by the amount of interaction provided to the

malicious user: high, medium, or low

3 Other ways are by looking at the data collected and whether or not

more than one honeypot is being used

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 8 / 28

slide-14
SLIDE 14

Types of honeypots

Interactive

1 Low-interaction Emulates a single service; must be simple Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28

slide-15
SLIDE 15

Types of honeypots

Interactive

1 Low-interaction Emulates a single service; must be simple 2 Medium-interaction Emulates a group of services that could be

expected on a server

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28

slide-16
SLIDE 16

Types of honeypots

Interactive

1 Low-interaction Emulates a single service; must be simple 2 Medium-interaction Emulates a group of services that could be

expected on a server

3 High-interaction Full OS is presented to attacker; most useful, but

also most risky

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 9 / 28

slide-17
SLIDE 17

Types of honeypots

Type of data collected

1 Various types of data can be collected: Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

slide-18
SLIDE 18

Types of honeypots

Type of data collected

1 Various types of data can be collected: 2 Events Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

slide-19
SLIDE 19

Types of honeypots

Type of data collected

1 Various types of data can be collected: 2 Events 3 Attacks Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

slide-20
SLIDE 20

Types of honeypots

Type of data collected

1 Various types of data can be collected: 2 Events 3 Attacks 4 Intrusions Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 10 / 28

slide-21
SLIDE 21

Types of honeypots

System configuration

1 Stand alone Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 11 / 28

slide-22
SLIDE 22

Types of honeypots

System configuration

1 Stand alone 2 Honeyfarm presenting a unified appearance to attacker Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 11 / 28

slide-23
SLIDE 23

Uses of honeypots

1 Production environments to provide information and warning Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 12 / 28

slide-24
SLIDE 24

Uses of honeypots

1 Production environments to provide information and warning 2 Security research trying to keep a step ahead of new attacks Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 12 / 28

slide-25
SLIDE 25

Uses of honeypots

Figure: A example of an exposed honeypot.

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 13 / 28

slide-26
SLIDE 26

Honeypots as mobile code throttlers

1 Principle: Infected machines make more connections than regular ones Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28

slide-27
SLIDE 27

Honeypots as mobile code throttlers

1 Principle: Infected machines make more connections than regular ones 2 Sacrifice a few machines for the common good Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28

slide-28
SLIDE 28

Honeypots as mobile code throttlers

1 Principle: Infected machines make more connections than regular ones 2 Sacrifice a few machines for the common good 3 Prevents a virus from spreading across the network, but cannot save

the system

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 14 / 28

slide-29
SLIDE 29

Honeypots as mobile code throttlers

Figure: Virus throttling

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 15 / 28

slide-30
SLIDE 30

Honeytokens (cost-effective honeypots)

1 Reiterate Honeypot definition: an information system resource whose

value lies in the unauthorized or illicit use of that resource.

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28

slide-31
SLIDE 31

Honeytokens (cost-effective honeypots)

1 Reiterate Honeypot definition: an information system resource whose

value lies in the unauthorized or illicit use of that resource.

2 Honeytoken is a Honeypot which is not a computer, but a digital

entity.

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28

slide-32
SLIDE 32

Honeytokens (cost-effective honeypots)

1 Reiterate Honeypot definition: an information system resource whose

value lies in the unauthorized or illicit use of that resource.

2 Honeytoken is a Honeypot which is not a computer, but a digital

entity.

3 Hospital DB example Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 16 / 28

slide-33
SLIDE 33

Honeytokens (cost-effective honeypots)

Figure: Honeytoken

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 17 / 28

slide-34
SLIDE 34

Honeyd - Introduction

1 Honeyd - Low interaction virtual honeypot Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 18 / 28

slide-35
SLIDE 35

Honeyd - Introduction

1 Honeyd - Low interaction virtual honeypot 2 Deception through simulation of network stack Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 18 / 28

slide-36
SLIDE 36

Honeyd - Architecture

Figure: Honeyd architecture.

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 19 / 28

slide-37
SLIDE 37

Service-specific honeypots

1 Simpler honeypots running for a specific service Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

slide-38
SLIDE 38

Service-specific honeypots

1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

slide-39
SLIDE 39

Service-specific honeypots

1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) 3 Logs interactions for later analysis Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

slide-40
SLIDE 40

Service-specific honeypots

1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) 3 Logs interactions for later analysis 4 Fairly safe to run on a computer, even if not dedicated Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

slide-41
SLIDE 41

Service-specific honeypots

1 Simpler honeypots running for a specific service 2 SSH honeypot (kippo) 3 Logs interactions for later analysis 4 Fairly safe to run on a computer, even if not dedicated 5 This idea can be applied to other services as well Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 20 / 28

slide-42
SLIDE 42

Deployment strategies

1 Sacrificial lamb Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

slide-43
SLIDE 43

Deployment strategies

1 Sacrificial lamb 2 Deception ports on production systems Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

slide-44
SLIDE 44

Deployment strategies

1 Sacrificial lamb 2 Deception ports on production systems 3 Proximity decoys Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

slide-45
SLIDE 45

Deployment strategies

1 Sacrificial lamb 2 Deception ports on production systems 3 Proximity decoys 4 Redirection shield Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

slide-46
SLIDE 46

Deployment strategies

1 Sacrificial lamb 2 Deception ports on production systems 3 Proximity decoys 4 Redirection shield 5 Minefield Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 21 / 28

slide-47
SLIDE 47

Deployment strategies

Figure: Redirection shield. Figure: Minefield.

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 22 / 28

slide-48
SLIDE 48

Honeypot Pros

1 Shield real servers from attacks Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 23 / 28

slide-49
SLIDE 49

Honeypot Pros

1 Shield real servers from attacks 2 Gather information about current attack strategies Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 23 / 28

slide-50
SLIDE 50

Honeypot Pros

1 Shield real servers from attacks 2 Gather information about current attack strategies 3 Limit risk to real data Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 23 / 28

slide-51
SLIDE 51

Honeypot Cons

1 At best, just a copy of the real target Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 24 / 28

slide-52
SLIDE 52

Honeypot Cons

1 At best, just a copy of the real target 2 Potentially prone to the same weaknesses as their copy Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 24 / 28

slide-53
SLIDE 53

Honeypot Cons

1 At best, just a copy of the real target 2 Potentially prone to the same weaknesses as their copy 3 Additional time required to develop and maintain, in addition to real

servers

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 24 / 28

slide-54
SLIDE 54

Real life uses

1 Honeypots can play a vital role in a layered security setup Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 25 / 28

slide-55
SLIDE 55

Real life uses

1 Honeypots can play a vital role in a layered security setup 2 At Utah State University as part of protecting their SSH servers:

“[Honeypots] make it easy to automate blocking SSH attackers, with virtually no chance of false positives.”

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 25 / 28

slide-56
SLIDE 56

Improvements

1 There is a constant battle between security researchers and hackers Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 26 / 28

slide-57
SLIDE 57

Improvements

1 There is a constant battle between security researchers and hackers 2 Honeypots need to be updated to emulate newer servers and fix

implementation bugs

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 26 / 28

slide-58
SLIDE 58

Conclusion

1 Honeypots can be very useful as part of a comprehensive security

setup

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 27 / 28

slide-59
SLIDE 59

Conclusion

1 Honeypots can be very useful as part of a comprehensive security

setup

2 Let us see the interactions of malicious users without their being

aware

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 27 / 28

slide-60
SLIDE 60

Conclusion

1 Honeypots can be very useful as part of a comprehensive security

setup

2 Let us see the interactions of malicious users without their being

aware

3 Versatile: many possible uses Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 27 / 28

slide-61
SLIDE 61

Conclusion

Questions?

Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 28 / 28