CET,BBSR

HONEYPOT

Presented By:Presented By: SILPI RUPA ROSANSILPI RUPA ROSAN Computer Sc EnggComputer Sc Engg

CETCET BhubaneswarBhubaneswar

CET,BBSR

CONTENTS

The ThreatsDefinition of HoneypotBasic Design of HoneypotClassification of HoneypotWorkingExamplesAdvantages & DisadvantagesConclusion

CET,BBSR

CET,BBSR

The Threat

Thousands of scans a day Fastest time honeypot manually compromised, 15

minutes Life expectancies:

Vulnerable Win32 system is 93 min

Vulnerable Unix system is 1604 min

Primarily cyber-crime, focus on Win32 systems and their users.

Botnets

CET,BBSR

Definition

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

- Lance Spitzner

CET,BBSR

Basic Honeypot design

CET,BBSR

How it helps us?

Helps to learn system’s weakness

Hacker can be caught & stopped

Design better & secured network

CET,BBSR

HONEYPOT IDS

Nobody is supposedto use it

Generates less Compiles But imp. Logs huge logs of authorised Of unauthorised activity

activity

CET,BBSR

Categories Of Honeypots…

Production honeypots--

used to help mitigate risk in an organization

Research honeypots--

to gather as much information as possible

CET,BBSR

Level of interaction

Low-Interaction Honeypots

High-Interaction Honeypots

CET,BBSR

Low Interaction Honeypot

-Emulates certain services, applications

-Identify hostile IP

-Protect internet side of network

-Low risk and easy to deploy/maintain, but capture limited information.

CET,BBSR

High Interaction Honeypot

-Real services, applications, and OS’s

-Capture extensive information but high risk and time intensive to maintain

-Internal network protection

CET,BBSR

Comparison

Low-interaction

Solution emulates operating systems services.

High-interaction

No emulation, real operating systems and services are provided.

Easy to install and deploy. Usually requires simply installing and configuring software on a computer.

Can be complex to install or deploy (commercial versions tend to be much simpler).

Minimal risk, as the emulated services control what attackers can and cannot do.

Increased risk, as attackers are provided real operating systems to interact with

Captures limited amounts of information, mainly transactional data and some limited interaction.

Can capture far more information, including new tools, communications, or attacker keystrokes.

CET,BBSR

How does a honeypot work?

Lure attackers

Data Control

Data Capture

CET,BBSR

Example--

CET,BBSR

Implementation….

CET,BBSR

Examples of Honeypots

BackOfficer Friendly

KFSensor

Honeyd

Nepenthes

Honeynets

Low Interaction

High Interaction

CET,BBSR

BackOfficer Friendly

CET,BBSR

Advantages

Collect small data sets of high value

New tools and tactics

Information

Work in encrypted or IPv6 environments

Simple concept requiring minimal resources

CET,BBSR

Disadvantages

Limited field of view

Risk (mainly high-interaction honeypots)

Requires time and resources to maintain and analyze

CET,BBSR

Legal issues of Honeypot

Privacy

Liability

CET,BBSR

Conclusion

CET,BBSR

References

http://www.tracking-hackers.com/papers/honeypots.html

http://www.securityfocus.com/infocus/1757 http://www.securitywizardry.com/honeypots.html http://www.honeynet.org/papers/honeynet Honeynet Project, “Know Your Enemy: Defining Virtual

Honeynets”. Available on line at: http://

project.honeynet.org/papers/index.html Lance Spizner, “Honeytokens: the Other Honeypot”,

Security Focus information

CET,BBSR

CET,BBSR