Honey Pots: Natures Dessert or Cyber Defense Tool?

Eric Richardson

What is it?

• A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource

Simple Definition

Definition Continued

• System appears to be legitimate• Should be of no use to any one• Any interaction with the honey pot is

malicious

Examples

• File Server• Web Sites• Work Station• Customer File

Important Attributes

• The Honey Pot needs to appear legitimate• Needs to be “difficult” to break into• Honey Pot needs to be isolated from rest of

the network• Will not catch every intrusion!

Advantages

• Collect small sets of data• Reduce false positives• Reduce false negatives• Capture encrypted activity• Work with IPv6

High Interaction vs. Low Interaction

Which is better?

Low Interaction

• Emulates OS or various services• Attackers can not do much with the honey pot• Easier to deploy, maintain, and configure• Minimal risk

High Interaction

• Implement real OS and services• Allow for extensive amount of interaction• Much greater risk• Used for research purposes

HoneyD

• Open source program for setting up Honey Pots

• Emulate various services all on a single machine

• Simulate OS• Uses scripts to simulate

services

Symantec Decoy Server

• Commercial solution• Creates four “cages”• Each cage is an OS and

has own file system• Attackers interact with

each “cage”

Why use them?

• Prevention• Detection• Response

Prevention

• Automated attacks and human attacks

• Sticky Honey Pots, uses clever TCP tricks

• Protection by deception

Detection

• As stated before, reduces false positives and negatives

• Captures encrypted activity and IPv6 traffic

• Interaction with a honeypot is likely to be malicious

Response

• Log important information

• Easy to take offline and analyze

• Honeypot doesn’t affect day to day operations

In Conclusion

• Honeypots are flippin’ sweet• A handy tool for helping with security• Very flexible

Questions?

Maybe I’ll have answers!