Honeypots

What is a Honeypot?
 An Information system resource whose value lies in unauthorized or illicit use of that resource A computer, data or a network site that APPEARS to be part of a network but which is actually ISOLATED & PROTECTED.

Purpose
Distract adversaries on a network. To monitor, detect and analyze attacks & attacking trends. Capture malicious & unauthorized code.

Not limited to specific purpose

Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture. Their value, and the problems they help solve, depend on how build, deploy, and you use them.

Honeypot Timeline
 1990/1991 The Cuckoos Egg and Evening with Berferd  1997 - Deception Toolkit  1998 - CyberCop Sting  1998 - NetFacade (and Snort)  1998 - BackOfficer Friendly  1999 - Formation of the Honeynet Project  2003 - Some Honeypot Tools such as Snort-Inline12 & Sebek13

Implementation of Honeypots
1) Deciding Location: Used on the Internet as well as in the Intranet. Best location is inside DMZ.

2) Gather information through Firewall logs Packet sniffer Local & Remote logs Remotely forwarded logs 3) Limiting outbound attacks through Firewalls System configured layer2 bridge

4) Putting the Honey into the Pot Fake databases of customers E-mails with passwords Financial information

Classification of Honeypots
1) By Implementation Physical Virtual 2) By physical presence in the network. Hardware based Software based

3) By purpose Production Research 4)By level of interaction High Low

Low Interaction
Provide Emulated Services No operating system for attacker to access. Information limited to transactional information and attackers activities with emulated services. Minimal risk

High Interaction
Complex Provide Actual Operating Systems Learn extensive amounts of information. Extensive risk.

Value
Provides in-depth information. High interaction honeypots for research purpose Low interaction honeypots for production purpose

Advantages
Small data sets of high value New tools and tactics Minimal resources Simplicity Information Encryption or IPv6

Disadvantages
Risk Limited view

Honeypots
BackOfficer Friendly SPECTER Honeyd ManTrap Honeynets High Interaction Low Interaction

Which is best?

None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.

Legal Issues
Privacy Entrapment Liability

Summary
In the right hands, a honeypot can be an effective tool for information gathering. In the wrong, inexperienced hands, it can become another infiltrated machine and an instrument for the blackhat community

THANK YOU