19-03-2011, 04:34 PM
PRESENTED BY:
‘Lance Spitzner
honeypots-0.2.ppt (Size: 515 KB / Downloads: 182)
Purpose
To introduce you to honeypots, what they are, how they work, their value.
Problem
• Variety of misconceptions about honeypots, everyone has their own definition.
• This confusion has caused lack of understanding, and adoption.
Honeypot Timeline
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd
• 1997 - Deception Toolkit
• 1998 - CyberCop Sting
• 1998 - NetFacade (and Snort)
• 1998 - BackOfficer Friendly
• 1999 - Formation of the Honeynet Project
• 2001 - Worms captured
• 2002 - dtspcd exploit capture
Definition
Any security resource who’s value lies in being probed, attacked, or compromised
• How honeypots work
Simple concept
• A resource that expects no data, so any traffic to or from it is most likely unauthorized activity
• Not limited to specific purpose
• Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture.
• Their value, and the problems they help solve, depend on how build, deploy, and you use them.
Types
• Production (Law Enforcment)
• Research (Counter-Intelligence)
Marty’s idea
• Value
What is the value of honeypots?
• One of the greatest areas of confusion concerning honeypot technologies.
Advantages
• Based on how honeypots conceptually work, they have several advantages.
– Reduce False Positives and False Negatives
– Data Value
– Resources
– Simplicity
– Disadvantages
• Based on the concept of honeypots, they also have disadvantages:
– Narrow Field of View
– Fingerprinting
– Risk
• Production
• Prevention
• Detection
• Response
Prevention
• Keeping the burglar out of your house.
• Honeypots, in general are not effective prevention mechanisms.
• Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks:
– worms
– auto-rooters
– mass-rooters
Detection
• Detecting the burglar when he breaks in.
• Honeypots excel at this capability, due to their advantages.
Response
• Honeypots can be used to help respond to an incident.
– Can easily be pulled offline (unlike production systems.
– Little to no data pollution.
Research Honeypots
• Early Warning and Prediction
• Discover new Tools and Tactics
• Understand Motives, Behavior, and Organization
• Develop Analysis and Forensic Skills
• Early Warning and Prediction
• Tools
Tactics
• Motives and Behavior
• Level of Interaction
• Level of Interaction determines amount of functionality a honeypot provides.
• The greater the interaction, the more you can learn.
• The greater the interaction, the more complexity and risk.
Risk
• Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations.
Low Interaction
• Provide Emulated Services
• No operating system for attacker to access.
• Information limited to transactional information and attackers activities with emulated services.
High Interaction
• Provide Actual Operating Systems
• Learn extensive amounts of information.
• Extensive risk.
Honeypots
• BackOfficer Friendly
– http://www.nfrproducts/bof/
• SPECTER
– http://www.specter.com
• Honeyd
– http://www.citi.umich.edu/u/provos/honeyd/
• ManTrap
– http://www.recourse.com
• Honeynets
– http://project.honeynetpapers/honeynet/
• BackOfficer Friendly
• Specter
• Honeyd
• ManTrap
• Honeynets
• Which is best?
None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.
• Legal Issues
• Privacy
• Entrapment
• Liability
• Legal Contact for
.mil / .gov
Department of Justice, Computer Crime and Intellectual Property Section
– General Number: (202) 514-1026
– Specific Contact: Richard Salgado
• Direct Telephone (202) 353-7
Summary
Honeypos are a highly flexible security tool that can be used in a variety of different deployments.
‘Lance Spitzner
honeypots-0.2.ppt (Size: 515 KB / Downloads: 182)
Purpose
To introduce you to honeypots, what they are, how they work, their value.
Problem
• Variety of misconceptions about honeypots, everyone has their own definition.
• This confusion has caused lack of understanding, and adoption.
Honeypot Timeline
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd
• 1997 - Deception Toolkit
• 1998 - CyberCop Sting
• 1998 - NetFacade (and Snort)
• 1998 - BackOfficer Friendly
• 1999 - Formation of the Honeynet Project
• 2001 - Worms captured
• 2002 - dtspcd exploit capture
Definition
Any security resource who’s value lies in being probed, attacked, or compromised
• How honeypots work
Simple concept
• A resource that expects no data, so any traffic to or from it is most likely unauthorized activity
• Not limited to specific purpose
• Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture.
• Their value, and the problems they help solve, depend on how build, deploy, and you use them.
Types
• Production (Law Enforcment)
• Research (Counter-Intelligence)
Marty’s idea
• Value
What is the value of honeypots?
• One of the greatest areas of confusion concerning honeypot technologies.
Advantages
• Based on how honeypots conceptually work, they have several advantages.
– Reduce False Positives and False Negatives
– Data Value
– Resources
– Simplicity
– Disadvantages
• Based on the concept of honeypots, they also have disadvantages:
– Narrow Field of View
– Fingerprinting
– Risk
• Production
• Prevention
• Detection
• Response
Prevention
• Keeping the burglar out of your house.
• Honeypots, in general are not effective prevention mechanisms.
• Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks:
– worms
– auto-rooters
– mass-rooters
Detection
• Detecting the burglar when he breaks in.
• Honeypots excel at this capability, due to their advantages.
Response
• Honeypots can be used to help respond to an incident.
– Can easily be pulled offline (unlike production systems.
– Little to no data pollution.
Research Honeypots
• Early Warning and Prediction
• Discover new Tools and Tactics
• Understand Motives, Behavior, and Organization
• Develop Analysis and Forensic Skills
• Early Warning and Prediction
• Tools
Tactics
• Motives and Behavior
• Level of Interaction
• Level of Interaction determines amount of functionality a honeypot provides.
• The greater the interaction, the more you can learn.
• The greater the interaction, the more complexity and risk.
Risk
• Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations.
Low Interaction
• Provide Emulated Services
• No operating system for attacker to access.
• Information limited to transactional information and attackers activities with emulated services.
High Interaction
• Provide Actual Operating Systems
• Learn extensive amounts of information.
• Extensive risk.
Honeypots
• BackOfficer Friendly
– http://www.nfrproducts/bof/
• SPECTER
– http://www.specter.com
• Honeyd
– http://www.citi.umich.edu/u/provos/honeyd/
• ManTrap
– http://www.recourse.com
• Honeynets
– http://project.honeynetpapers/honeynet/
• BackOfficer Friendly
• Specter
• Honeyd
• ManTrap
• Honeynets
• Which is best?
None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.
• Legal Issues
• Privacy
• Entrapment
• Liability
• Legal Contact for
.mil / .gov
Department of Justice, Computer Crime and Intellectual Property Section
– General Number: (202) 514-1026
– Specific Contact: Richard Salgado
• Direct Telephone (202) 353-7
Summary
Honeypos are a highly flexible security tool that can be used in a variety of different deployments.