Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Lessons Honeypot

Lessons Honeypot

Ratings: (0)|Views: 5|Likes:
Published by Anton Chuvakin

More info:

Published by: Anton Chuvakin on Jul 27, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less





Lessons of the Honeypot I: Aggressive and CarelessAnton Chuvakin, Ph.D.WRITTEN: 2003
:Security is a rapidly changing field of human endeavor. Threats we face literallychange every day; moreover, many security professionals consider the rate of changeto be accelerating. On top of that, to be able to stay in touch with such ever-changingreality, one has to evolve with the space as well. Thus, even though I hope that thisdocument will be useful for to my readers, please keep in mind that is was possiblywritten years ago. Also, keep in mind that some of the URL might have gone 404, please Google around.The amazing book of Lance Spitzner "Know You Enemy" seems to haveopened the flood gates of honeypot deployment. While the concept of honeypots as a means of network defense (or, rather, counter-offenseagainst the attackers) was known for a long time, the popularity of the "honeynets" has risen during the last several years, most likelydue to work of Lance Spitzner. The Honeynet Project(http://project.honeynet.org/), originally the collaboration of 30security professionals, now involves other organizations, members of Honeynet Research Alliance.The term "honeynet", used in this article, apparently originated inthe Project and means a network of systems with fairly standardconfigurations connected to the Internet. The only difference is thatall communication is recorded and analyzed and no attacks can escapethe network. The systems are never "weakened" for easier hacking, butare often deployed in default configuration with minimum patches.I have the pleasure of running a honeynet(http://www.netforensics.com/honeynet1.html) for our company,netForensics (http://www.netForensics.com), a member of HoneynetResearch Alliance. It turns out that running a honeynet presents anultimate challenge that a security professional can face. The reasonis that running a honeynet involves much more than running a production network. No 'lock it down and maintain state' is possible. If protecting a production network is akin to defending acastle, running a honeynet is similar to running a spy network, deep behind enemy lines. You have to build defenses and hide and dodgeattacks that cannot be defended against.This article presents an interesting observation, also noticed byother Honeynet Project members. It should be noted, that it probablyapplies to the less enlightened part of hacker community. In our honeynet, we had a questionable pleasure of observing the operations
of several hackers who broke in. Their behavior seemed to indicatethat they are used to operate with no resistance! Namely, attackerswho broke in, only go for a low hanging fruit of poorly administerednetworks.While people running really tight network setups might sneer at thatand claim that they have nothing to fear from such "hackers", theopposite is in fact true. The explanation is simple: the sheer number of scans and attacks aimed at Internet-facing networks shows that anyminor mistake in network configuration will be discovered fairlysoon. Open an unsecured FTP server to let somebody download stuff -and see it change ownership really fast. In fact, malicious attackersoften scan millions of random Internet addresses and compile databasesof services they run. Now, when the new exploit for a network serviceappears, they already have a list of potentially vulnerable hosts,ready for taking over. For example, recently DShield(http://www.dshield.org) distributed intrusion detection project hasreported intense scanning for port 1433, MS SQL service (seehttp://www.dshield.org/port_report.php?port=1433 for more details). Itwas attributed for such preemptive data collection by the blackhats. In our honeypot, the intruder left his FTP scanner run for hours, thinking he just scanned 200,000 hosts (while in fact, honeypotsoftware absorbed all the hostile traffic). Judging by the amount of activity just one person can perform per day per owned host, one can be assured that claims that unsecured machine will be exploited withina day from connecting to the Internet are not an exaggeration!Many of the tools that are captured on the penetrated machines in our honeynet, are fully automated. Basically, if an attacker is notinterested in any particular hosts to attack, the software chooses arandom A class (16 million hosts) and first scans it for a particular network service (currently, FTP is the favorite, seehttp://www.dshield.org for global statistics). Then, on second passthe program collects FTP banners (such as "ftp.example.com FTP server (Version wu-2.6.1-16) ready.") for target selection. On third pass,the servers, that run a particular version of FTP daemon, areattacked, exploited and backdoored for convenience. The owner of suchtool can return in the morning to pick up a list of IP addresses thathe now "owns" (meaning, has 'root' access to).While customers are asking security vendors to provide moreuser-friendly and easy to understand security tools, "script kiddies"(i.e. low level attackers) are apparently asking the unknown"uber-hackers" for more "point-and-own" attack tools. In fact, even pointing is not required anymore.Let me relate some more educational stories from our honeypot. The pinnacle of "aggressive and careless" was the hacker, who broke in anddeployed his toolkit packaged as "his-hacker-nickname.tar.gz" (UNIXarchive file, the hacker's nickname is replaced). He then used FTP to
access his site using the login name "his-hacker-nickname". His IRC(Internet Relay Chat) client software (that he also deployed) had thesame name embedded. Imagine our surprise when we discovered that theIP address that he came from resolves to"his-hacker-nickname.com". Now, that's being covert!Another attacker's first action was changing the 'root' password onthe system. Sure, that helps to avoid being noticed. Not a singleattacker bothered to check for the presence of Tripwire (integritychecking system), which is included by default in RedHat Linux used inour honeypot. On the next Tripwire run, all the "hidden" files areeasily discovered. One more attacker has created a directory for himself as /his-hacker-nickname. I guess, no system admin will besurprised to see a new directory right in the root of the disk. Therootkits (i.e. hacker toolkits to maintain access to a system thatinclude backdoors, trojans and common attack tools) now reach megabytesizes, and feature graphical installation interfaces. Hackers downloadtheir tools from their accounts with well-known Internet providers(and not from some "secret" hacker sites).Overall, our honeypot experience seem to indicate that attackers thatare most likely to happen upon a company network are not very skilled, but extremely numerous and equipped with fully-automated hackingtools. As a result, they present considerable danger to mostcompanies. The only solution to the puzzle is constant vigilance basedon careful monitoring outside and inside the organization's network and prompt response to the incidents, that are bound tooccur. Meticulous log file collection from all security devices for further analysis and more effective intrusion detection are a must.
This is an updated author bio, added to the paper at the time of reposting in 2010.
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in thefield of log management and PCI DSS compliance. He is an author of books"Security Warrior" and "PCI Compliance" and a contributor to "Know Your EnemyII", "Information Security Management Handbook" and others. Anton has publisheddozens of papers on log management, correlation, data analysis, PCI DSS, securitymanagement (see listwww.info-secure.org) . His bloghttp://www.securitywarrior.org is one of the most popular in the industry.In addition, Anton teaches classes and presents at many security conferences acrossthe world; he recently addressed audiences in United States, UK, Singapore, Spain,Russia and other countries. He works on emerging security standards and serves onthe advisory boards of several security start-ups.Currently, Anton is developing his security consulting practicewww.securitywarriorconsulting.com, focusing on logging and PCI DSS compliancefor security vendors and Fortune 500 organizations. Dr. Anton Chuvakin wasformerly a Director of PCI Compliance Solutions at Qualys. Previously, Antonworked at LogLogic as a Chief Logging Evangelist, tasked with educating the worldabout the importance of logging for security, compliance and operations. BeforeLogLogic, Anton was employed by a security vendor in a strategic product

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->