SlideShare une entreprise Scribd logo

Honeypots Explained: Types, Advantages and How They Work</TITLE

Bilal ZIANE
Bilal ZIANE

Honeypots

FormationTechnologie
1  sur  15
Télécharger pour lire hors ligne
Honeypots ZIANE Bilal Http://www.ZIANEBilal.com/2012/09/honeypots/
1 Honeypot www.ZIANEBilal.com Honeypot 1. Definitions of Honeypots What is a Honeypot? The buzz word honeypot has created a great deal of confusion and miscommunication through the security community , due to the lack of a clear and simple definition. Some think a honeypot is an intrusion detection tool, others sees it as a jail or as a deception tool to lure hackers. These viewpoints of what a honeypot is have emerged a lot of misunderstandings. Therefore, a honeypot is a resource which pretends to be a real target. A honeypot is expected to be at-tacked or compromised. The main goals are the distraction of an attacker and the gain of information about the type of the attack and about the attacker, serving as an early-warning, thus, minimizing the risks on the real IT Systems and Network. Honeypots are typically virtual machines, designed to emulate real machines with fully running services, fooling the black hats without knowing they are covertly observed. In the one hand, Firewalls are designed to protect organizations by controlling the traffic flow, using them as an access control device to block unauthorized activities. In the other hand, Network Intrusion Detection Systems are designed to detect any malicious activity by monitoring the activity within the network. Identifying malicious activities and reporting them to the administrator. But the Honeypot seems to be different from the most security tools in that they can take on different manifestations. That’s to say the value of the honeypot resides in being attacked, and if the system is never probed then it has little or no value. Honeypots are flexible, resolving not only one specific issue. Instead, they are highly recommended for widely different situations, as alarming and warning sensors, by detecting (like IDS) deterring (like firewalls) attacks, capturing and analyzing automated attacks including worms.
2 Honeypot www.ZIANEBilal.com How Honeypots Work Honeypots are security resources that have no production value; no person or resource should be communicating with them. Any activity sent their way is suspect. Any traffic initiated by the honeypot means the system has most likely been compromised. Any traffic sent to the honeypot is most likely a probe, scan, or attack. With a honeypot, nothing is expected. To better understand the concepts of honeypots, let's take a look at the following example of honeypot deployments. The purpose here is to demonstrate to you that honeypots can come in many different flavors, and they can achieve different things. However, they are both honeypots because they share the same definition and concepts. With the intent using systems as a honeypots, to determine if there is any unauthorized activity happening within your DMZ. Honeypots passively capture any traffic or activity that interacts with them.
3 Honeypot www.ZIANEBilal.com 2. Types of Honeypots  Production/Research Honeypots: Honeypots are classified into two general categories: Production Honeypots and Research Honeypots. The production honeypots are easier to build and deploy than the research honeypots, besides their simplicity they have less risk. But, they give less information about the attacker and about the types of attacks as well. The research honeypots are designed to gain information about the black hat community with the aim of researching threats that the organization might face detecting who the attackers are, how they are organized, tolls they are using, in order to find out who the attackers are, and to understand how they are operating. Then we can progressively protect the environment based on those collected information. Security research companies, government agencies and universities are deploying research honeypots to help the security community secure their resources, and to learn about attackers who are they, how they take action, and what tools they use. Indeed, Honeynets are one example of the research honeypots.  Low/High Interactivity: High-interaction honeypots offer the adversary a full system to interact with. This means that the honeypot does not emulate any services, functionality, or base operating systems. Instead, it provides real systems and services, the same used in organizations today. Thus, the attacker can completely compromise the machine and take control of it. This allows you to learn more about the tools, tactics, and motives of the attacker and get a better understanding of the attacker community. Although these types of honeypots can give you deep insights into the routine procedures of an attacker, be warned: High-interaction honeypots can be a time- consuming yet fascinating hobby! Your personal computer can be considered a high- interaction honeypot.
4 Honeypot www.ZIANEBilal.com This approach, however, has several drawbacks. After all, you do not want an attacker to have access to your private data or disrupt your work. Certainly you want to set up a machine that is dedicated for this task, using a virtual machineHigh-interaction honeypots have some risk. The attacker can abuse a honeypot he has compromised and start to attack other systems on the Internet. This could cause you both legal and ethical problems. Therefore, we need to safeguard the whole setup to mitigate risk. Low-interaction honeypots are fascinating for many different reasons. Many noncommercial solutions exist like LaBrea and Tiny Honeypot, and low-interaction honeypots are easy to set up. Even without much experience, you can set up a network of hundreds of low-interaction virtual honeypots in a short time.  Hybrid honeypots: When low-interaction systems are not powerful enough and high-interaction systems are too expensive, hybrid solutions offer the benefits of both worlds. Let's say we want to capture real worms on a class B network under our control. It would be too expensive to set up 65,000 real machines, but by combining principals of low-interaction honeypots with high-interaction honeypots, we can use the low- interaction honeypots as gateways to a few high-interaction machines. The low-interaction honeypots filter out noise and scanning attempts and ensure that only interesting connections are forwarded to a set of high-interaction machines. These high-interaction machines can run different operating systems, and by selectively forwarding connections from the low-interaction honeypots, we can mix and dice the different services available on the high-interaction systems. 3. Advantages of Honeypots  Simplicity and high flexibility The simpler a technology is, the less mistakes and misconfigurations there will be. And I consider that the biggest advantage of honeypots is their simplicity. Just drop it somewhere on the organization, then sit and wait. Some Honeypots can be more complex, especially the Research honeypots. They all operate on the same simple
5 Honeypot www.ZIANEBilal.com premise: the simpler the concept, the more reliable it is. With complexity come misconfigurations, and failures. Honeypots can be used in a wide v ariety of environments, due to their high flexibility. They can vary from a simple social security number added to a database, to an entire network of computers designed to be broken into. It is this flexibility of honeypots that allows them to be used anywhere and to gather extensive information accordingly, especially against insider threats.  Data Value The amount of captured information every day, from firewall logs, Intrusion Detection alerts, system logs, would be very overwhelming, and extremely difficult to take advantage of it. Instead of logging Gigabytes of data every day, honeypots only capture bad activities (positive alerts), by reducing the noise and collecting only small data sets of information, with high value, most likely a scan, probe, or attack-information.  Minimal resources Running out of resources has become an issue among the security community, and since Honeypots require minimal resources, there are no resource limitations. Because they capture and monitor little activity, honeypots typically do not have problems of resource exhaustion. In the other hand, most IDS sensors have difficulty monitoring networks that have gigabits speed. The speed and volume of the traffic are too great for the sensor to analyze every packet. As a result, traffic is dropped and potential attacks are missed. A honeypot deployed on the same network does not share this problem. The honeypot only captures activities directed at itself, this is due to the fact that honeypots only capture bad activity; any interaction with a honeypot is most likely an unauthorized or malicious activity. That’s to say, the system is not overwhelmed by the traffic. Besides, no deal of money needs to be invested in hardware for deploying a Honeypot, the cheap old and unwanted Pentium computer, will do the work.
6 Honeypot www.ZIANEBilal.com  Capture the new tools and attacks Honeypots are designed to capture anything thrown at them. This means they capture harmful methods and tools that have never been used before. This is unusual to any security system deployed before, like IDS, Firewalls, etc., all of which have to recognize and diagnose an activity before categorizing it as dangerous.  Return on Investment Honeypots quickly and repeatedly demonstrate their value. Whenever they are attacked, people know the bad guys are out there. By capturing unauthorized activity, honeypots can be used to justify not only their own value but investments in other security resources as well. When management perceives there are no threats, honeypots can effectively prove that a great deal of risk does exist. 4. Disadvantages of Honeypots  Narrow Field of View The greatest disadvantage of honeypots is that they only see what activity is directed against them. But if an attacker breaks into your real network and attacks a variety of systems, your honeypot will be unaware of the activity unless it is attacked directly. That’s to say, if the attackers had identified the honeypot for what it is, they can now avoid that system, with the honeypot never knowing. As noted earlier, honeypots are designed to be attacked, but if not they lose their value.  Fingerprinting Fingerprinting is when an attacker can identify the true identity of the honeypot because of its characteristics or behaviors. If a blackhat identifies an organization using a honeypot on its internal networks, he could spoof the identity of other production systems and attack the honeypot. The honeypot would detect these spoofed attacks, and falsely alert administrators that a production system was attacking it, sending the organization on a wild goose chase.
7 Honeypot www.ZIANEBilal.com Meanwhile, in the midst of all the confusion, an attacker could focus on real attacks. Fingerprinting is an even greater risk for research honeypots. A system designed to gain intelligence can be devastated if detected. An attacker can feed bad information to a research honeypot as opposed to avoiding detection. This bad information would then lead the security community to make incorrect conclusions about the blackhat community. This is not to say all honeypots must avoid detection. Some organizations might want to scare away or confuse attackers. Once a honeypot is attacked, it can identify itself and then warn off the attacker in hopes of scaring him off. However, in most situations organizations do not want honeypots to be detected.  Risk Honeypots can introduce risk to the environment. Once the honeypot is attacked, it can be used to attack, infiltrate, or harm other systems or organizations. The simpler the honeypot is, the less the risk. Some introduce very little risk and difficult to compromise, while others give the attacker entire platforms from which to launch passive or active attacks against other systems. Because of their disadvantages, honeypots cannot replace other security mechanisms such as firewalls and intrusion detection systems. Rather, they add value by working with existing security mechanisms. They play a part in your overall defenses.
8 Honeynets www.ZIANEBilal.com Honeynets 1. How Honeynets Work Honeynet is a physical network of multiple systems, with the same principal of a honeypot, But not only in a single system. Anything sent to the Honeynet is suspect, potentially a probe, scan, or even an attack. Anything sent from a Honeynet implies that it has been compromised— an attacker or tool is launching activity. Honeynets are an architecture that builds a highly controlled network, within which you can place any system or application you want. It is this architecture that is your Honeynet. There are three critical elements to a Honeynet architecture: data control, data capture, and data collection. These elements define your Honeynet architecture. Of the three,the first two are the most important and apply to every Honeynet deployment. The third, data collection, only applies to organizations that deploy multiple Honeynets in a distributed environment. Data control is the controlling of the blackhat activity. Once a blackhat takes control of a honeypot within the Honeynet, his activity has to be contained so he cannot harm non-Honeynet systems. Data capture is the capturing of all the activity that occurs within the Honeynet. Data collection is the aggregation of all the data captured by multiple Honeynets. Honeynets are highly flexible: there is no specific way to implement a Honeynet
9 Honeynets www.ZIANEBilal.com solution. However, what is critical is that it meets the data requirements of Honeynet technologies. There are currently two types of Honeynets that can be employed on a network. These are GEN I, or first generation, and GEN II, or second generation. The type of Honeynet that one chooses to use depends on many factors to include availability of resources, types of hackers and attacks that you are trying to detect, and overall experience with the Honeynet methodology. GEN I Honeynets are the simpler methodology to employ. Although they are somewhat limited in their ability for Data Capture and Data Control, highly effective in detecting automated attacks or beginner level attacks against targets of opportunity on the network. Their limitations in Data Control make it possible for a hacker to fingerprint them as a Honeynet. They also offer little to a skilled hacker to attract them to target the Honeynet, since the machines on the Honeynet are normally just default installations of various operating systems. GEN II Honeynets were developed to address the shortcomings inherent with GEN I Honeynets. The primary area that was addressed by GEN II Honeynets is in the area of Data Control. GEN I Honeynets used a firewall to provide Data Control by limiting the number of outbound connections from the Honeynet. This is a very effective method of Data Control; however, it lacks flexibility and allows for the possibility of the hacker fingerprinting the Honeynet. GEN II Honeynets provide data control by examining outbound data and making a determination to block, to pass, or to modify by changing some of the packet contents so as to allow data to appear to pass but rendering it benign. GEN II Honeynets are more complex to deploy and maintain than GEN I Honeynets.
10 Honeynets www.ZIANEBilal.com 2. Virtual Honeynets Virtual Honeynets represent a relatively new field for Honeynets. The concept is to virtually run an entire Honeynet on a single, physical system. The purpose of this is to make Honeynets a cheaper solution that is easier to manage. Instead of investing in large amounts of hardware, all of the hardware requirements are combined onto a single system. Virtual Honeynets do not represent a specific architecture; they can support either GenI or GenII technologies. Instead, virtual Honeynets represent one option for deploying these architectures.
11 HoneyC www.ZIANEBilal.com HoneyC This is an example of a client honeypot that initiates connections to a server, aiming to find malicious servers on a network. It aims to identify malicious web servers by using emulated clients that are able to solicit the type of response from a server that is necessary for analysis of malicious content. Official Website: https://projects.honeynet.org/honeyc/ Honeyd Honeyd is an open source framework for setting up virtual honeypots with different services on one machine, fooling the network fingerprinting tools and simulating real operating systems. Official Website: www.honeyd.org/ Deploying Honeypots with Honeyd: http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with- honeyd/ Honeypot/honeyd getting started: http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/ Honeyd – A low involvement Honeypot in Action http://security.rbaumann.net/download/honeyd.pdf
12 Honeywall www.ZIANEBilal.com Honeywall Honeywall Bootable CD-ROM that comes with a set of tools and functionalities, for implementing a GenII data capture, control and analysis features. Install and configure Honeywall: http://doc.emergingthreats.net/pub/Main/HoneywallSamples/InstallAndConfigureHo neywall.pdf DTK Deception Toolkit was the first Open Source honeypot released in 1997. It is a collection of Perl scripts and C source code that emulates a variety of listening services. Its primary purpose is to deceive human attackers. The Deception Toolkit Home Page: http://all.net/dtk/index.html Honeytrap This is a low-interactive honeypot developed to observe attacks against network services. It helps administrators to collect information regarding known or unknown network-based attacks. Official Website: http://honeytrap.carnivore.it/
13 Resources: www.ZIANEBilal.com Resources: Honeypots, Tracking Hackers: http://www.tracking-hackers.com/papers/ Les HoneyPots par François ROPERT : http://www.authsecu.com/honeypots- honeynet/honeypots-honeynet.php#Les_menaces CERT AdvisoryCA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight DirectoryAccess Protocol (LDAP) http://www.cert.org/advisories/CA-2001-18.html Honeypots - Tracking Hackers By Lance Spitzner. ISBN: 0-321-10895-7. Honeypots for Windows by Roger A.Grimes. ISBN: 1590593359. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. by Niels Provos; Thorsten Holz. ISBN: 0-321-33632-1. White Paper: Honeypots by Reto Baumann (http://www.rbaumann.net) and Christian Plattner (http://www.christianplattner.net). Know Your Enemy, Honeynets: http://www.symantec.com/connect/articles/know- your-enemy-honeynets Virtual Honeynet, Deploying Honeywall using VMware: http://www.honeynet.pk/honeywall/roo/index.htm
14 Resources: www.ZIANEBilal.com Table of Contents Honeypot...........................................................................................................................................1 1. Definitions of Honeypots..........................................................................................................1 2. Types of Honeypots .................................................................................................................3  Production/Research Honeypots: .........................................................................................3  Low/High Interactivity:.........................................................................................................3  Hybrid honeypots: ...............................................................................................................4 3. Advantages of Honeypots ........................................................................................................4  Simplicity and high flexibility ................................................................................................4  Data Value...........................................................................................................................5  Minimal resources ...............................................................................................................5  Capture the new tools and attacks ........................................................................................6  Return on Investment ..........................................................................................................6 4. Disadvantages of Honeypots ....................................................................................................6  Narrow Field of View............................................................................................................6  Fingerprinting......................................................................................................................6  Risk.....................................................................................................................................7 Honeynets..........................................................................................................................................8 1. How Honeynets Work ..............................................................................................................8 2. Virtual Honeynets.................................................................................................................. 10 HoneyC ............................................................................................................................................ 11 Honeyd ............................................................................................................................................ 11 Honeywall ........................................................................................................................................ 12 DTK.................................................................................................................................................. 12 Honeytrap........................................................................................................................................ 12 Resources: ....................................................................................................................................... 13

Recommandé

honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on HoneypotAmit Poonia
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computingأحلام انصارى
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
Tushar mandal.honeypot
Tushar mandal.honeypotTushar mandal.honeypot
Tushar mandal.honeypottushar mandal
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 

Recommandé

honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Seminar Report on Honeypot
Seminar Report on HoneypotSeminar Report on Honeypot
Seminar Report on HoneypotAmit Poonia
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computingأحلام انصارى
 
Honeypots
HoneypotsHoneypots
HoneypotsSARANYA S
 
Tushar mandal.honeypot
Tushar mandal.honeypotTushar mandal.honeypot
Tushar mandal.honeypottushar mandal
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Honey pots
Honey potsHoney pots
Honey potsDhaivat Zala
 
Hybrid honeypots for network security
Hybrid honeypots for network securityHybrid honeypots for network security
Hybrid honeypots for network securitychella mani
 
Lecture 7
Lecture 7Lecture 7
Lecture 7Education
 
Honey pots
Honey potsHoney pots
Honey potsDivya korrapati
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1samrat saurabh
 
Honeypots
HoneypotsHoneypots
HoneypotsJayant Gandhi
 
Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Ravindra Singh Rathore
 
Honeypot
HoneypotHoneypot
HoneypotAkhil Sahajan
 
Honeypot
HoneypotHoneypot
HoneypotShashwat Shriparv
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tpptArya AR
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot ProjectManikyala Rao
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot BasicsManoj kumawat
 
Honeypot based intrusion detection system PPT
Honeypot based intrusion detection system PPTHoneypot based intrusion detection system PPT
Honeypot based intrusion detection system PPTparthan t
 
Honey Pot
Honey PotHoney Pot
Honey Potiradarji
 
Honey pots
Honey potsHoney pots
Honey potsAlok Singh
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
Honeypots
HoneypotsHoneypots
HoneypotsJ. Scott Christianson
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypotElham Hormozi
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
[CLASS 2014] Palestra Técnica - Regis Carvalho
[CLASS 2014] Palestra Técnica - Regis Carvalho[CLASS 2014] Palestra Técnica - Regis Carvalho
[CLASS 2014] Palestra Técnica - Regis CarvalhoTI Safe
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot frameworkUltraUploader
 

Contenu connexe

Tendances

Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Hybrid honeypots for network security
Hybrid honeypots for network securityHybrid honeypots for network security
Hybrid honeypots for network securitychella mani
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tpptArya AR
 
Honeypot based intrusion detection system PPT
Honeypot based intrusion detection system PPTHoneypot based intrusion detection system PPT
Honeypot based intrusion detection system PPTparthan t
 

Tendances (20)

Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
Honey pots
Honey potsHoney pots
Honey pots
 
Hybrid honeypots for network security
Hybrid honeypots for network securityHybrid honeypots for network security
Hybrid honeypots for network security
 
Lecture 7
Lecture 7Lecture 7
Lecture 7
 
Honey pots
Honey potsHoney pots
Honey pots
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)Honeypots (Ravindra Singh Rathore)
Honeypots (Ravindra Singh Rathore)
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honey po tppt
Honey po tpptHoney po tppt
Honey po tppt
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
 
Honeypot based intrusion detection system PPT
Honeypot based intrusion detection system PPTHoneypot based intrusion detection system PPT
Honeypot based intrusion detection system PPT
 
Honey Pot
Honey PotHoney Pot
Honey Pot
 
Honey pots
Honey potsHoney pots
Honey pots
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & Honeynets
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypot
 
Honeypot
Honeypot Honeypot
Honeypot
 

En vedette

[CLASS 2014] Palestra Técnica - Regis Carvalho
[CLASS 2014] Palestra Técnica - Regis Carvalho[CLASS 2014] Palestra Técnica - Regis Carvalho
[CLASS 2014] Palestra Técnica - Regis CarvalhoTI Safe
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot frameworkUltraUploader
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Eng. Mohammed Ahmed Siddiqui
 
Exemplo de política de segurança
Exemplo de política de segurançaExemplo de política de segurança
Exemplo de política de segurançaFernando Palma
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 

En vedette (6)

[CLASS 2014] Palestra Técnica - Regis Carvalho
[CLASS 2014] Palestra Técnica - Regis Carvalho[CLASS 2014] Palestra Técnica - Regis Carvalho
[CLASS 2014] Palestra Técnica - Regis Carvalho
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot framework
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
 
Exemplo de política de segurança
Exemplo de política de segurançaExemplo de política de segurança
Exemplo de política de segurança
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
Honey pot day 1
Honey pot day 1Honey pot day 1
Honey pot day 1
 

Similaire à Honeypots Explained: Types, Advantages and How They Work</TITLE

Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 
Honeypot Methods and Applications
Honeypot Methods and ApplicationsHoneypot Methods and Applications
Honeypot Methods and Applicationsijtsrd
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
Paper id 312201513
Paper id 312201513Paper id 312201513
Paper id 312201513IJRAT
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876Momita Sharma
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systemsfrankvv
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityPriyanshu Ratnakar
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An OverviewIRJET Journal
 
Honeypot and deception
Honeypot and deceptionHoneypot and deception
Honeypot and deceptionmilad saber
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 

Similaire à Honeypots Explained: Types, Advantages and How They Work</TITLE (20)

Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
 
Honeypot Methods and Applications
Honeypot Methods and ApplicationsHoneypot Methods and Applications
Honeypot Methods and Applications
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Paper id 312201513
Paper id 312201513Paper id 312201513
Paper id 312201513
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
 
HoneyPots.pptx
HoneyPots.pptxHoneyPots.pptx
HoneyPots.pptx
 
Honeypot2
Honeypot2Honeypot2
Honeypot2
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
 
Olll
OlllOlll
Olll
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systems
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An Overview
 
Honeypot and deception
Honeypot and deceptionHoneypot and deception
Honeypot and deception
 
Ananth3
Ananth3Ananth3
Ananth3
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynets
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 

Dernier

4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6Vanessa Camilleri
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMr Bounab Samir
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Celine George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfChristalin Nelson
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 

Dernier (20)

4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdf
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdf
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 

Honeypots Explained: Types, Advantages and How They Work</TITLE

  • 1. Honeypots ZIANE Bilal Http://www.ZIANEBilal.com/2012/09/honeypots/
  • 2. 1 Honeypot www.ZIANEBilal.com Honeypot 1. Definitions of Honeypots What is a Honeypot? The buzz word honeypot has created a great deal of confusion and miscommunication through the security community , due to the lack of a clear and simple definition. Some think a honeypot is an intrusion detection tool, others sees it as a jail or as a deception tool to lure hackers. These viewpoints of what a honeypot is have emerged a lot of misunderstandings. Therefore, a honeypot is a resource which pretends to be a real target. A honeypot is expected to be at-tacked or compromised. The main goals are the distraction of an attacker and the gain of information about the type of the attack and about the attacker, serving as an early-warning, thus, minimizing the risks on the real IT Systems and Network. Honeypots are typically virtual machines, designed to emulate real machines with fully running services, fooling the black hats without knowing they are covertly observed. In the one hand, Firewalls are designed to protect organizations by controlling the traffic flow, using them as an access control device to block unauthorized activities. In the other hand, Network Intrusion Detection Systems are designed to detect any malicious activity by monitoring the activity within the network. Identifying malicious activities and reporting them to the administrator. But the Honeypot seems to be different from the most security tools in that they can take on different manifestations. That’s to say the value of the honeypot resides in being attacked, and if the system is never probed then it has little or no value. Honeypots are flexible, resolving not only one specific issue. Instead, they are highly recommended for widely different situations, as alarming and warning sensors, by detecting (like IDS) deterring (like firewalls) attacks, capturing and analyzing automated attacks including worms.
  • 3. 2 Honeypot www.ZIANEBilal.com How Honeypots Work Honeypots are security resources that have no production value; no person or resource should be communicating with them. Any activity sent their way is suspect. Any traffic initiated by the honeypot means the system has most likely been compromised. Any traffic sent to the honeypot is most likely a probe, scan, or attack. With a honeypot, nothing is expected. To better understand the concepts of honeypots, let's take a look at the following example of honeypot deployments. The purpose here is to demonstrate to you that honeypots can come in many different flavors, and they can achieve different things. However, they are both honeypots because they share the same definition and concepts. With the intent using systems as a honeypots, to determine if there is any unauthorized activity happening within your DMZ. Honeypots passively capture any traffic or activity that interacts with them.
  • 4. 3 Honeypot www.ZIANEBilal.com 2. Types of Honeypots  Production/Research Honeypots: Honeypots are classified into two general categories: Production Honeypots and Research Honeypots. The production honeypots are easier to build and deploy than the research honeypots, besides their simplicity they have less risk. But, they give less information about the attacker and about the types of attacks as well. The research honeypots are designed to gain information about the black hat community with the aim of researching threats that the organization might face detecting who the attackers are, how they are organized, tolls they are using, in order to find out who the attackers are, and to understand how they are operating. Then we can progressively protect the environment based on those collected information. Security research companies, government agencies and universities are deploying research honeypots to help the security community secure their resources, and to learn about attackers who are they, how they take action, and what tools they use. Indeed, Honeynets are one example of the research honeypots.  Low/High Interactivity: High-interaction honeypots offer the adversary a full system to interact with. This means that the honeypot does not emulate any services, functionality, or base operating systems. Instead, it provides real systems and services, the same used in organizations today. Thus, the attacker can completely compromise the machine and take control of it. This allows you to learn more about the tools, tactics, and motives of the attacker and get a better understanding of the attacker community. Although these types of honeypots can give you deep insights into the routine procedures of an attacker, be warned: High-interaction honeypots can be a time- consuming yet fascinating hobby! Your personal computer can be considered a high- interaction honeypot.
  • 5. 4 Honeypot www.ZIANEBilal.com This approach, however, has several drawbacks. After all, you do not want an attacker to have access to your private data or disrupt your work. Certainly you want to set up a machine that is dedicated for this task, using a virtual machineHigh-interaction honeypots have some risk. The attacker can abuse a honeypot he has compromised and start to attack other systems on the Internet. This could cause you both legal and ethical problems. Therefore, we need to safeguard the whole setup to mitigate risk. Low-interaction honeypots are fascinating for many different reasons. Many noncommercial solutions exist like LaBrea and Tiny Honeypot, and low-interaction honeypots are easy to set up. Even without much experience, you can set up a network of hundreds of low-interaction virtual honeypots in a short time.  Hybrid honeypots: When low-interaction systems are not powerful enough and high-interaction systems are too expensive, hybrid solutions offer the benefits of both worlds. Let's say we want to capture real worms on a class B network under our control. It would be too expensive to set up 65,000 real machines, but by combining principals of low-interaction honeypots with high-interaction honeypots, we can use the low- interaction honeypots as gateways to a few high-interaction machines. The low-interaction honeypots filter out noise and scanning attempts and ensure that only interesting connections are forwarded to a set of high-interaction machines. These high-interaction machines can run different operating systems, and by selectively forwarding connections from the low-interaction honeypots, we can mix and dice the different services available on the high-interaction systems. 3. Advantages of Honeypots  Simplicity and high flexibility The simpler a technology is, the less mistakes and misconfigurations there will be. And I consider that the biggest advantage of honeypots is their simplicity. Just drop it somewhere on the organization, then sit and wait. Some Honeypots can be more complex, especially the Research honeypots. They all operate on the same simple
  • 6. 5 Honeypot www.ZIANEBilal.com premise: the simpler the concept, the more reliable it is. With complexity come misconfigurations, and failures. Honeypots can be used in a wide v ariety of environments, due to their high flexibility. They can vary from a simple social security number added to a database, to an entire network of computers designed to be broken into. It is this flexibility of honeypots that allows them to be used anywhere and to gather extensive information accordingly, especially against insider threats.  Data Value The amount of captured information every day, from firewall logs, Intrusion Detection alerts, system logs, would be very overwhelming, and extremely difficult to take advantage of it. Instead of logging Gigabytes of data every day, honeypots only capture bad activities (positive alerts), by reducing the noise and collecting only small data sets of information, with high value, most likely a scan, probe, or attack-information.  Minimal resources Running out of resources has become an issue among the security community, and since Honeypots require minimal resources, there are no resource limitations. Because they capture and monitor little activity, honeypots typically do not have problems of resource exhaustion. In the other hand, most IDS sensors have difficulty monitoring networks that have gigabits speed. The speed and volume of the traffic are too great for the sensor to analyze every packet. As a result, traffic is dropped and potential attacks are missed. A honeypot deployed on the same network does not share this problem. The honeypot only captures activities directed at itself, this is due to the fact that honeypots only capture bad activity; any interaction with a honeypot is most likely an unauthorized or malicious activity. That’s to say, the system is not overwhelmed by the traffic. Besides, no deal of money needs to be invested in hardware for deploying a Honeypot, the cheap old and unwanted Pentium computer, will do the work.
  • 7. 6 Honeypot www.ZIANEBilal.com  Capture the new tools and attacks Honeypots are designed to capture anything thrown at them. This means they capture harmful methods and tools that have never been used before. This is unusual to any security system deployed before, like IDS, Firewalls, etc., all of which have to recognize and diagnose an activity before categorizing it as dangerous.  Return on Investment Honeypots quickly and repeatedly demonstrate their value. Whenever they are attacked, people know the bad guys are out there. By capturing unauthorized activity, honeypots can be used to justify not only their own value but investments in other security resources as well. When management perceives there are no threats, honeypots can effectively prove that a great deal of risk does exist. 4. Disadvantages of Honeypots  Narrow Field of View The greatest disadvantage of honeypots is that they only see what activity is directed against them. But if an attacker breaks into your real network and attacks a variety of systems, your honeypot will be unaware of the activity unless it is attacked directly. That’s to say, if the attackers had identified the honeypot for what it is, they can now avoid that system, with the honeypot never knowing. As noted earlier, honeypots are designed to be attacked, but if not they lose their value.  Fingerprinting Fingerprinting is when an attacker can identify the true identity of the honeypot because of its characteristics or behaviors. If a blackhat identifies an organization using a honeypot on its internal networks, he could spoof the identity of other production systems and attack the honeypot. The honeypot would detect these spoofed attacks, and falsely alert administrators that a production system was attacking it, sending the organization on a wild goose chase.
  • 8. 7 Honeypot www.ZIANEBilal.com Meanwhile, in the midst of all the confusion, an attacker could focus on real attacks. Fingerprinting is an even greater risk for research honeypots. A system designed to gain intelligence can be devastated if detected. An attacker can feed bad information to a research honeypot as opposed to avoiding detection. This bad information would then lead the security community to make incorrect conclusions about the blackhat community. This is not to say all honeypots must avoid detection. Some organizations might want to scare away or confuse attackers. Once a honeypot is attacked, it can identify itself and then warn off the attacker in hopes of scaring him off. However, in most situations organizations do not want honeypots to be detected.  Risk Honeypots can introduce risk to the environment. Once the honeypot is attacked, it can be used to attack, infiltrate, or harm other systems or organizations. The simpler the honeypot is, the less the risk. Some introduce very little risk and difficult to compromise, while others give the attacker entire platforms from which to launch passive or active attacks against other systems. Because of their disadvantages, honeypots cannot replace other security mechanisms such as firewalls and intrusion detection systems. Rather, they add value by working with existing security mechanisms. They play a part in your overall defenses.
  • 9. 8 Honeynets www.ZIANEBilal.com Honeynets 1. How Honeynets Work Honeynet is a physical network of multiple systems, with the same principal of a honeypot, But not only in a single system. Anything sent to the Honeynet is suspect, potentially a probe, scan, or even an attack. Anything sent from a Honeynet implies that it has been compromised— an attacker or tool is launching activity. Honeynets are an architecture that builds a highly controlled network, within which you can place any system or application you want. It is this architecture that is your Honeynet. There are three critical elements to a Honeynet architecture: data control, data capture, and data collection. These elements define your Honeynet architecture. Of the three,the first two are the most important and apply to every Honeynet deployment. The third, data collection, only applies to organizations that deploy multiple Honeynets in a distributed environment. Data control is the controlling of the blackhat activity. Once a blackhat takes control of a honeypot within the Honeynet, his activity has to be contained so he cannot harm non-Honeynet systems. Data capture is the capturing of all the activity that occurs within the Honeynet. Data collection is the aggregation of all the data captured by multiple Honeynets. Honeynets are highly flexible: there is no specific way to implement a Honeynet
  • 10. 9 Honeynets www.ZIANEBilal.com solution. However, what is critical is that it meets the data requirements of Honeynet technologies. There are currently two types of Honeynets that can be employed on a network. These are GEN I, or first generation, and GEN II, or second generation. The type of Honeynet that one chooses to use depends on many factors to include availability of resources, types of hackers and attacks that you are trying to detect, and overall experience with the Honeynet methodology. GEN I Honeynets are the simpler methodology to employ. Although they are somewhat limited in their ability for Data Capture and Data Control, highly effective in detecting automated attacks or beginner level attacks against targets of opportunity on the network. Their limitations in Data Control make it possible for a hacker to fingerprint them as a Honeynet. They also offer little to a skilled hacker to attract them to target the Honeynet, since the machines on the Honeynet are normally just default installations of various operating systems. GEN II Honeynets were developed to address the shortcomings inherent with GEN I Honeynets. The primary area that was addressed by GEN II Honeynets is in the area of Data Control. GEN I Honeynets used a firewall to provide Data Control by limiting the number of outbound connections from the Honeynet. This is a very effective method of Data Control; however, it lacks flexibility and allows for the possibility of the hacker fingerprinting the Honeynet. GEN II Honeynets provide data control by examining outbound data and making a determination to block, to pass, or to modify by changing some of the packet contents so as to allow data to appear to pass but rendering it benign. GEN II Honeynets are more complex to deploy and maintain than GEN I Honeynets.
  • 11. 10 Honeynets www.ZIANEBilal.com 2. Virtual Honeynets Virtual Honeynets represent a relatively new field for Honeynets. The concept is to virtually run an entire Honeynet on a single, physical system. The purpose of this is to make Honeynets a cheaper solution that is easier to manage. Instead of investing in large amounts of hardware, all of the hardware requirements are combined onto a single system. Virtual Honeynets do not represent a specific architecture; they can support either GenI or GenII technologies. Instead, virtual Honeynets represent one option for deploying these architectures.
  • 12. 11 HoneyC www.ZIANEBilal.com HoneyC This is an example of a client honeypot that initiates connections to a server, aiming to find malicious servers on a network. It aims to identify malicious web servers by using emulated clients that are able to solicit the type of response from a server that is necessary for analysis of malicious content. Official Website: https://projects.honeynet.org/honeyc/ Honeyd Honeyd is an open source framework for setting up virtual honeypots with different services on one machine, fooling the network fingerprinting tools and simulating real operating systems. Official Website: www.honeyd.org/ Deploying Honeypots with Honeyd: http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with- honeyd/ Honeypot/honeyd getting started: http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/ Honeyd – A low involvement Honeypot in Action http://security.rbaumann.net/download/honeyd.pdf
  • 13. 12 Honeywall www.ZIANEBilal.com Honeywall Honeywall Bootable CD-ROM that comes with a set of tools and functionalities, for implementing a GenII data capture, control and analysis features. Install and configure Honeywall: http://doc.emergingthreats.net/pub/Main/HoneywallSamples/InstallAndConfigureHo neywall.pdf DTK Deception Toolkit was the first Open Source honeypot released in 1997. It is a collection of Perl scripts and C source code that emulates a variety of listening services. Its primary purpose is to deceive human attackers. The Deception Toolkit Home Page: http://all.net/dtk/index.html Honeytrap This is a low-interactive honeypot developed to observe attacks against network services. It helps administrators to collect information regarding known or unknown network-based attacks. Official Website: http://honeytrap.carnivore.it/
  • 14. 13 Resources: www.ZIANEBilal.com Resources: Honeypots, Tracking Hackers: http://www.tracking-hackers.com/papers/ Les HoneyPots par François ROPERT : http://www.authsecu.com/honeypots- honeynet/honeypots-honeynet.php#Les_menaces CERT AdvisoryCA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight DirectoryAccess Protocol (LDAP) http://www.cert.org/advisories/CA-2001-18.html Honeypots - Tracking Hackers By Lance Spitzner. ISBN: 0-321-10895-7. Honeypots for Windows by Roger A.Grimes. ISBN: 1590593359. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. by Niels Provos; Thorsten Holz. ISBN: 0-321-33632-1. White Paper: Honeypots by Reto Baumann (http://www.rbaumann.net) and Christian Plattner (http://www.christianplattner.net). Know Your Enemy, Honeynets: http://www.symantec.com/connect/articles/know- your-enemy-honeynets Virtual Honeynet, Deploying Honeywall using VMware: http://www.honeynet.pk/honeywall/roo/index.htm
  • 15. 14 Resources: www.ZIANEBilal.com Table of Contents Honeypot...........................................................................................................................................1 1. Definitions of Honeypots..........................................................................................................1 2. Types of Honeypots .................................................................................................................3  Production/Research Honeypots: .........................................................................................3  Low/High Interactivity:.........................................................................................................3  Hybrid honeypots: ...............................................................................................................4 3. Advantages of Honeypots ........................................................................................................4  Simplicity and high flexibility ................................................................................................4  Data Value...........................................................................................................................5  Minimal resources ...............................................................................................................5  Capture the new tools and attacks ........................................................................................6  Return on Investment ..........................................................................................................6 4. Disadvantages of Honeypots ....................................................................................................6  Narrow Field of View............................................................................................................6  Fingerprinting......................................................................................................................6  Risk.....................................................................................................................................7 Honeynets..........................................................................................................................................8 1. How Honeynets Work ..............................................................................................................8 2. Virtual Honeynets.................................................................................................................. 10 HoneyC ............................................................................................................................................ 11 Honeyd ............................................................................................................................................ 11 Honeywall ........................................................................................................................................ 12 DTK.................................................................................................................................................. 12 Honeytrap........................................................................................................................................ 12 Resources: ....................................................................................................................................... 13