10-09-2016, 02:59 PM
1454484216-honeypotshoneynetssecuritydeception411.pdf (Size: 313.7 KB / Downloads: 5)
This article describes a security tool and concept known as a Honey Pot and Honeynet. What makes this security
tool different is that Honey Pots and Honeynets are digital network bait, and through deception, they are
designed to actually attract intruders. This paper expands on the work of two SANS GSEC research papers:
'Honey Pot Systems Explained'
Ov erview
This article describes a security tool and concept known as a Honey Pot and Honeynet. What makes this
security tool different is that Honey Pots and Honeynets are digital network bait, and through deception,
they are designed to actually attract intruders.
This paper expands on the work of two SANS GSEC re search papers: 'Honey Pot System s Explained' -
by Loras Even and 'Honey Pots and Intrusion' - by David Klug.
What is a Honey Pot?
Remember:
"There can never be enough deception."
- Sun Tzu
Honey Pots are fa ke computer system s, setup as a "decoy", that are used to collect data on intruders.
This "decoy" appears to contain operating system vulnerabilities that make it an attractive target for
hackers. A Honey Pot, loaded with fake information, appears to the hacker to be a legitimate machine.
While it appears vulnerable to attack, it actually prevents access to valuable data, administrative controls
and other computers. Deception defenses can add an unrecognizable layer of protection.
As long as the hacker i s not scared away, system administrators can now collect data on the identity,
access, and compromise methods used by the intruder. The Honey Pot must mimic real system s or the
intruder will quickly discover the 'decoy'. Honey Pots are set up to monitor the intruder without risk to
production system s or data. If the Honey Pot works a s intended, how the intruder probes and exploits the
system can now be asse ssed without detection.
The concept of a Honey Pot is to learn from the intruder's actions. This knowledge can now be used to
prevent attacks on the "real", or production system s, as well as diverting the resources of the attacker to a
the 'decoy' system.
Adv antages of Honey Pots:
· Deter Attacks - Fewer intruders will inv ade a network that know is designed to
monitor and capture their activ ity in detail.
· Div ert Attackers Efforts - A intruder will spend energy on a sys tem tha t causes
no harm to production servers.
· Educate - The properly designe d and configured Honey Pot prov ides
data on the methods used to attack systems.
· Detect Insider Attacks - Since most IDS s ystems hav e difficulty detecting insider
attacks, Honey Pots can prov ide valuable information on the
patterns used by insiders.
· Create Confusion for Attackers - The bogus data Hone y Pots prov ide to attackers,
can confuse and confound.
Integrating and Ins talling Honey Pots
The better the integration of Honey Pot into your system, the more effective it will be. This must be
balanced by the ability to maintain control of the installation. We don’t want a compromised system to
become a platform from which to launch attacks on our system or others.
Experts sugge st placing the Honey Pot machine on its own network and behind a firewall or router.
The adv antages include:
· The first goal is to track the intruder’s mov es by gathering forensic information. Secure
firewall and router logs can prov ide detailed information on the probes and ports of interest
to the intruder.
· Many firewalls and routers hav e the ability to alert the operator whenev er someone connects
to the Hone y Pot.
· Firewall and router rules can be established to protect the real network should the Hone y Pot
become compromised.
Start by giving the Honey Pot an attractive name. Systems named mail, name_server, finance, archive
or human resource s (hr), make enticing targets for intruders. We want to integrate the Honey Pot into
our actual system without placing production servers at risk.
The Honey Pot should not be normally be accessed by anyone, since it provides no legitimate services.
Any connections to the Honey Pot should alert the operator. Logging showing data flowing out of the
Honey Pot machine can also indicate it has been compromised.
How do we track the intruder without them knowing it? The establishment of multiple logging, or layers,
provide the best solution. Logging needs to be as ‘stealthy’ as po ssible. We do not want to depend on
a single layer of logging, since this could be altered or erased. Different logging views will also provide
better understanding of exactly what the intruder was attempting. Most important to remember is that
logs can only be trusted if their integrity can be guaranteed.
Establishment of logging on the Honey Pot itself creates a risk that the intruder will learn our logging
scheme through the system configuration files. These logs and configurations could also be altered or
erased if the machine is compromised. The best logging method is to create logs on a system the
intruder cannot access, a s well as the Honey Pot itself. A firewall or router can provide this capability.
Since logs created on the Honey Pot itself are at risk, logging should also be sent to a dedicated server
using a cryptographic protocol, to mask the actual logging methods used. The logging server should be
highly secured with all services turned off, and port 514 UDP blocked to prevent un-authorized logging
of information from the Internet. A free open source encrypted solution is the program ‘ssyslog’ from
Core-SDI o r ‘syslog-ng’ from BalaBit software. Alternate logging methods for NT include ‘slogger’ and
‘EventReporter’. A strong commercial product is the ‘Secure Log Repository’ product from NFR
Security. Whenever possible, bogus logging configuration files should also be established on the local
Honey Pot. This will help insure we capture valid information on how the system wa s attacked or
compromised, and reduce the possibility of the intruder becoming aware of our decoy.
Another layer of logging includes using a network sniffer on the Honey Pot wire to capture all data in or
out of the machine. This allows capturing the keystro ke s of the intruder. The sniffer can also perform
screen captures to see exactly what the intruder sees. Several different sniffers and/or IDS monitors
can be used. They include Real Secure, NFR, Dragon and Snort.
To help determine if the system has been compromised, capture an image of the original system
program binaries using a tool such as TripWire and save this data remotely. Freeware tools similar to
Tripwire can quickly create a database, which includes MD5 checksum s, of system files for many
system platforms. Use these tools to create a baseline of the system.
Remember that ‘bad’ things can happen on a compromised system by a knowledgeable intruder who
becomes aware he/she is on a Honey Pot. Be ready to pull-the-plug, especially after all has been
learned within reason. The goal is to learn how intruders’ compromise a system, not to let the intruder
use the Honey Pot as his/her tool and cause further damage. Part of the responsibility in establishing a
Honey Pot, is to carefully monitor the activity on the decoy. A system that begins to launch attacks on
Friday night at 11 PM must be addressed immediately. No system administrator wants to explain to his
boss on Monday morning how this device, implemented and sold to management as a product to
increase secu rity, was then used by some hacker against them all weekend. Use the e-mail or pager
alert feature contained in many firewalls.
To limit the scope of attacks that could be launched from a compromised Honey Pot, establish rules on
the firewall for outbound traffic. Allow any type of traffic inbound from the Internet, but only allow
outbound traffic such as ICMP, DNS (UCP) and FTP. The intruder may become wary, but this prevents
many of the nastier hacker tools from working.
Consider making a disk image backup of the original ‘clean’ system install with a disk utility such as
Norton ‘Ghost’. This can be used to ‘reset’ the Honey Pot to a known state after the data is collected on
the compromised system, or if the administrator completely loses control of the machine. The down side
is that the intruder will know something is wrong and avoid the decoy in the future.
Once a compromised Honey Pot is ‘re set’, consider fixing the vulnerabilities that were used by the
intruder. You can then learn new attack methods.
Hone ynet Project
A group of security professionals has expanded on the Honey Pot concept and created a project
dedicated to learning the tactics, tools, and motives of the blackhat (hacker) community and sharing the
knowledge they learn. The project is called 'The Honeynet Project, and can found on the web at URL
http://project.honeynet.org.
While a Honey Pot can be a single machine, the Honeynet is a network, where all inbound and outbound
data is analyzed and collected. Within this network, a wide variety of standard production systems a re
established. These systems provide real service s, so they more closely match the actual conditions
found in many organizations today. This can make a Honeynet harder to detect, since it does not just
mimic services like Honey Pots. Future plans include mixing the Honeynet into live production systems,
making the Honeynet even harder to detect.
The goals of this project are twofold:
1) To raise awareness of threats and v ulnerabilities that exist on the Internet.
2) To teach and inform security professionals.
The site contains a wealth of information including a library of white papers on secu rity topics, forensic
data collection and passive fingerprinting data analysis. Also included is information on the decoding and
makeup of various network scans u sed by intruders.