04-04-2011, 02:41 PM
Presented By
CH.KAMALAKAR
[attachment=11680]
INTRODUCTION
One of the greatest challenges the security community faces is lack of information on the enemy. Questions like who is the threat, why do they attack, and possibly when will they attack? It is questions like these the security community often cannot answer. Now a new tool called Honeypots has came together information about enemy.
Over the past several years there has been a growing interest in honeypots and honeypot related technologies. Honeypots are an exciting new technology with enormous potential for the security community. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud.This flexibility gives honeypots their true power. In one way the honeypot is defined as.
“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”.
Honeypots are a resource that has no authorized activity, they do not have any production value.This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise.The glory of a honeypot is that it lets you catch unknown attacks as well.
Setup a server and fill it with tempting files. Make it hard but not impossible to break into. Then sit back and wait for the crackers to show up. Observe them as they cavort around in the server. Log their conversations with each other. Study them like like you’d watch insects under a magnifying glass.
WHAT IS A HONEYPOT ?
A Honeynet is a type of honeypot designed specifically for research. A honeypot is a resource who's value is being probed, attacked, or compromised. Traditionally their value has been for deception or detecting attacks. They are usually single systems that emulate other systems, emulate known services or vulnerabilities, or create jailed environments. Some excellent examples of honeypots include Specter, Mantrap, or The Deception Toolkit.
• It is not a single system but a network of multiple systems. This network sits behind an access control device where all inbound and outbound data is controlled and captured. This captured information is then analyzed to learn the tools, tactics, and motives of the blackhat community. Honeynets can utilize multiple systems at the same time, such as Solaris, Linux, Windows NT, Cisco router, Alteon switch, etc. This creates a network environment that more realistically mirrors a production network. Also, by having different systems with different applications, such as a Linux DNS server, a Windows IIS web server, and a Solaris Database server, we can learn about different tools and tactics. Perhaps certain blackhats target specific systems, applications, or vulnerabilities. By having a variety of operating systems and applications, we are able to accurately profile specific blackhat trends and signatures.
• All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today. One can simply take a system from a production environment and place it within the Honeynet.
It is these two design differences that make a Honeynet primarily a tool for research. It can be used as a traditional honeypot, such as detecting unauthorized activity, however a Honeynet requires a great deal more work, risk and administration. Its simply not worth all the effort of building and maintaining a Honeynet just to detect attacks. You are far better off with the simpler honeypot solutions mentioned above.
Often organizations are so overwhelmed with production activity, such as GBs of system logging, that it can be extremely difficult to detect when a system is attacked, or even when successfully compromised.Instruction detection Systems are one solution designed for detecting attacks. Isolated honeypots have a much easier time because they are systems that should not normally be accessed.
IDS administrators can be overwhelmed with alerts that were generated whenthe sensor recognized the configuired signature of an “attack”. The problem here is that system administrator may receive so many alerts on a daily basis that they cannot respond to all of them.
Another risk is false negatives, when IDS systems fail to detect a valid attack.honeypots happily capture any attacks thrown their way.
Honeypots can simplify the detection process. Since honeypots have no production activity, all connections to an from the honeypot are suspect by nature.
VALUE OF A HONEYPOT
Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it purely defensive, the enemy is on the attack. Honeynets attempt to change that, they give organizations the ability to take the initiative.
The primary purpose of a Honeynet is to gather information about threats that exist. New tools can be discovered, worms can be captured and analyzed, attack patterns can be determined, and attacker motives studied. Captured information can also be used as an early indications and warning system, alerting to attacks before they happen. The ultimate goal of Honeynets is to provide information that can be used to protect against threats. Honeynets can be compared to the Navy's use of SOSUS during the Cold War. During the 1950-1980's, enemy submarines posed a threat as they could silently approach and attack from anywhere in the world's oceans. To detect these threats, devices were placed throughout the ocean's floor to passively capture the activity of enemy submarines. Honeynets can be considered the SOSUS of cyber space, passively gathering information on threats. The only difference is, for a Honeynet to passively gather information, blackhats have to probe, attack, or exploit Honeynet systems.
Traditionally, the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. The challenge for most organizations is determining from vast amounts of information what production traffic is and what is malicious activity.
The Honeynet solves this problem of data overload through simplicity. A Honeynet is a network designed to be compromised, not to be used for production traffic. Any traffic entering or leaving the network is suspicious by definition. Any connection initiated from outside the Honeynet into the network is most likely some type of probe, attack, or other malicious activity. Any connection initiated from the Honeynet to an outside network indicates that a system was compromised. An attacker has initiated a connection from his newly hacked computer and is now going out to the Internet. This concept of no production traffic greatly simplifies the data capture and analysis.
There are three critical requirements that define every Honeynet, they are
Data Control
Data Capture.
Data Collection.
Data Control
Data Control is what mitigates risk. It controls the attacker's activity by limiting what can happen inbound and outbound. The risk is that once an attacker compromises a system within the Honeynet, they can use that system to attack other non-Honeynet systems, such as organizations on the Internet. The attacker has to be controlled so they cannot do that. They can attack other systems within the Honeynet, but we have to protect non-Honeynet systems.
It took the blackhat only fifteen minutes to figure out something was wrong, wipe the system drive, and leave the network. So, the trick is to give the blackhat flexibility to execute whatever they need, but without allowing them to use the compromised system to attacks others.
Data Capture
Data Capture is what collecting all the activity that happens inbound, outbound, or within the Honeynet. This is how we learn, by capturing the attackers's activities. The trick to these requirements is meeting them without the attacker knowing. Our goal is to both control and capture all of the attacker's activity, without them realizing they are within a Honeynet.
Data captured cannot be stored on locally on the honeypot. Information stored locally can potentially be detected by the blackhat, alerting them the system is a Honeynet. The stored data can also be lost or destroyed. Not only do we have to capture the blackhats every move without them knowing, but we have to store the information remotely. The key to this is capturing data in layers. You cannot depend on a single layer for information. You gather data from a variety of resources. Combined, these layers then allow you to paint the big picture. We will now discuss these layers and there uses.
Data Collection
There is a third requirement, Data Collection, but this is only for organizations that have multiple Honeynets in distributed environments. Many organizations will have only one single Honeynet, so all they need to do is both Control and Capture data. However, organizations that have multiple Honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. This way the captured data can be combined, exponentially increasing its value. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed Honeynets.
INTEGRATING HONEYPOTS
The integration of honey pot into network is a great determining factor into how effective it will be. You should position the decoy system close to your production servers to tempt intruders that are targeting production servers. One such possibility is to emulate non-production services on production servers. By using port redirection on an upstream ruter or firewall, it will appear that honeypot services are running on production systems. This would require an upstream router or firewall capable of performing port/service redirection; in this case the upstream device is responsible for transparently handling the address translation of the honeypot in order to help conceal its real destination IP address. One example of this is if you run a production web server (port 80), telnet (port 23) and SMTP (port 25) could then be redirected to a honeypot.
Because these services should not be accessed on a production system, the honeypot should send off an immediate alert or at the very least, log (record, register) the incident. In the scenario listed above, you can detect probing and tampering on production systems but only on non-production services so you would not be alserted to tampering on the production server because the service is not redirected to the honey pot. It is also important to realize the limitaions of service emulation. Intrusion detection systems must know about the vulnerability prior the exploitaion in order for it to emulate properly. Another way to deploy a honey pot is to place it logically between production servers. If production servers are addressed as .9,.10,.11, and .13 it is ideal to address the honeypt as .12. the idea behind this is to catch intruders that “sweep scan” entire network ranges looking for vulnerable services. This is achieved by straight network addressing of the honey pot. You can even make the honey pot appear as multiple hosts by using IP aliasing (assigning multiple IP addresses to the same host). Because this method uses standard network addressing, you don’t need any special configuratins on your upstream router or firewall.
The goal in this setup is to catch intruders who will “sweep” (scan) an entire network range, looking for vunerable services.
If your production servers are running the DNS service, so should your honey pot, an intruder scanning for the latest DNS servcice vulnerability will hone (break up) right in. however, if the intruder focuses only on your production systems, he or she will avoid the honey pot, rendering it useless.
Any existing system can also be “honeypotized”, for example, on winNT, it is possible to rename the default “administrator” account, then create a dummy account called “admininstrator” with no password. winNT allows extensive logging of a person’s activities, so this honey pot will track users attempting to gain administrator access and exploit that access.
CH.KAMALAKAR
[attachment=11680]
INTRODUCTION
One of the greatest challenges the security community faces is lack of information on the enemy. Questions like who is the threat, why do they attack, and possibly when will they attack? It is questions like these the security community often cannot answer. Now a new tool called Honeypots has came together information about enemy.
Over the past several years there has been a growing interest in honeypots and honeypot related technologies. Honeypots are an exciting new technology with enormous potential for the security community. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud.This flexibility gives honeypots their true power. In one way the honeypot is defined as.
“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”.
Honeypots are a resource that has no authorized activity, they do not have any production value.This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise.The glory of a honeypot is that it lets you catch unknown attacks as well.
Setup a server and fill it with tempting files. Make it hard but not impossible to break into. Then sit back and wait for the crackers to show up. Observe them as they cavort around in the server. Log their conversations with each other. Study them like like you’d watch insects under a magnifying glass.
WHAT IS A HONEYPOT ?
A Honeynet is a type of honeypot designed specifically for research. A honeypot is a resource who's value is being probed, attacked, or compromised. Traditionally their value has been for deception or detecting attacks. They are usually single systems that emulate other systems, emulate known services or vulnerabilities, or create jailed environments. Some excellent examples of honeypots include Specter, Mantrap, or The Deception Toolkit.
• It is not a single system but a network of multiple systems. This network sits behind an access control device where all inbound and outbound data is controlled and captured. This captured information is then analyzed to learn the tools, tactics, and motives of the blackhat community. Honeynets can utilize multiple systems at the same time, such as Solaris, Linux, Windows NT, Cisco router, Alteon switch, etc. This creates a network environment that more realistically mirrors a production network. Also, by having different systems with different applications, such as a Linux DNS server, a Windows IIS web server, and a Solaris Database server, we can learn about different tools and tactics. Perhaps certain blackhats target specific systems, applications, or vulnerabilities. By having a variety of operating systems and applications, we are able to accurately profile specific blackhat trends and signatures.
• All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today. One can simply take a system from a production environment and place it within the Honeynet.
It is these two design differences that make a Honeynet primarily a tool for research. It can be used as a traditional honeypot, such as detecting unauthorized activity, however a Honeynet requires a great deal more work, risk and administration. Its simply not worth all the effort of building and maintaining a Honeynet just to detect attacks. You are far better off with the simpler honeypot solutions mentioned above.
Often organizations are so overwhelmed with production activity, such as GBs of system logging, that it can be extremely difficult to detect when a system is attacked, or even when successfully compromised.Instruction detection Systems are one solution designed for detecting attacks. Isolated honeypots have a much easier time because they are systems that should not normally be accessed.
IDS administrators can be overwhelmed with alerts that were generated whenthe sensor recognized the configuired signature of an “attack”. The problem here is that system administrator may receive so many alerts on a daily basis that they cannot respond to all of them.
Another risk is false negatives, when IDS systems fail to detect a valid attack.honeypots happily capture any attacks thrown their way.
Honeypots can simplify the detection process. Since honeypots have no production activity, all connections to an from the honeypot are suspect by nature.
VALUE OF A HONEYPOT
Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it purely defensive, the enemy is on the attack. Honeynets attempt to change that, they give organizations the ability to take the initiative.
The primary purpose of a Honeynet is to gather information about threats that exist. New tools can be discovered, worms can be captured and analyzed, attack patterns can be determined, and attacker motives studied. Captured information can also be used as an early indications and warning system, alerting to attacks before they happen. The ultimate goal of Honeynets is to provide information that can be used to protect against threats. Honeynets can be compared to the Navy's use of SOSUS during the Cold War. During the 1950-1980's, enemy submarines posed a threat as they could silently approach and attack from anywhere in the world's oceans. To detect these threats, devices were placed throughout the ocean's floor to passively capture the activity of enemy submarines. Honeynets can be considered the SOSUS of cyber space, passively gathering information on threats. The only difference is, for a Honeynet to passively gather information, blackhats have to probe, attack, or exploit Honeynet systems.
Traditionally, the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. The challenge for most organizations is determining from vast amounts of information what production traffic is and what is malicious activity.
The Honeynet solves this problem of data overload through simplicity. A Honeynet is a network designed to be compromised, not to be used for production traffic. Any traffic entering or leaving the network is suspicious by definition. Any connection initiated from outside the Honeynet into the network is most likely some type of probe, attack, or other malicious activity. Any connection initiated from the Honeynet to an outside network indicates that a system was compromised. An attacker has initiated a connection from his newly hacked computer and is now going out to the Internet. This concept of no production traffic greatly simplifies the data capture and analysis.
There are three critical requirements that define every Honeynet, they are
Data Control
Data Capture.
Data Collection.
Data Control
Data Control is what mitigates risk. It controls the attacker's activity by limiting what can happen inbound and outbound. The risk is that once an attacker compromises a system within the Honeynet, they can use that system to attack other non-Honeynet systems, such as organizations on the Internet. The attacker has to be controlled so they cannot do that. They can attack other systems within the Honeynet, but we have to protect non-Honeynet systems.
It took the blackhat only fifteen minutes to figure out something was wrong, wipe the system drive, and leave the network. So, the trick is to give the blackhat flexibility to execute whatever they need, but without allowing them to use the compromised system to attacks others.
Data Capture
Data Capture is what collecting all the activity that happens inbound, outbound, or within the Honeynet. This is how we learn, by capturing the attackers's activities. The trick to these requirements is meeting them without the attacker knowing. Our goal is to both control and capture all of the attacker's activity, without them realizing they are within a Honeynet.
Data captured cannot be stored on locally on the honeypot. Information stored locally can potentially be detected by the blackhat, alerting them the system is a Honeynet. The stored data can also be lost or destroyed. Not only do we have to capture the blackhats every move without them knowing, but we have to store the information remotely. The key to this is capturing data in layers. You cannot depend on a single layer for information. You gather data from a variety of resources. Combined, these layers then allow you to paint the big picture. We will now discuss these layers and there uses.
Data Collection
There is a third requirement, Data Collection, but this is only for organizations that have multiple Honeynets in distributed environments. Many organizations will have only one single Honeynet, so all they need to do is both Control and Capture data. However, organizations that have multiple Honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. This way the captured data can be combined, exponentially increasing its value. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed Honeynets.
INTEGRATING HONEYPOTS
The integration of honey pot into network is a great determining factor into how effective it will be. You should position the decoy system close to your production servers to tempt intruders that are targeting production servers. One such possibility is to emulate non-production services on production servers. By using port redirection on an upstream ruter or firewall, it will appear that honeypot services are running on production systems. This would require an upstream router or firewall capable of performing port/service redirection; in this case the upstream device is responsible for transparently handling the address translation of the honeypot in order to help conceal its real destination IP address. One example of this is if you run a production web server (port 80), telnet (port 23) and SMTP (port 25) could then be redirected to a honeypot.
Because these services should not be accessed on a production system, the honeypot should send off an immediate alert or at the very least, log (record, register) the incident. In the scenario listed above, you can detect probing and tampering on production systems but only on non-production services so you would not be alserted to tampering on the production server because the service is not redirected to the honey pot. It is also important to realize the limitaions of service emulation. Intrusion detection systems must know about the vulnerability prior the exploitaion in order for it to emulate properly. Another way to deploy a honey pot is to place it logically between production servers. If production servers are addressed as .9,.10,.11, and .13 it is ideal to address the honeypt as .12. the idea behind this is to catch intruders that “sweep scan” entire network ranges looking for vulnerable services. This is achieved by straight network addressing of the honey pot. You can even make the honey pot appear as multiple hosts by using IP aliasing (assigning multiple IP addresses to the same host). Because this method uses standard network addressing, you don’t need any special configuratins on your upstream router or firewall.
The goal in this setup is to catch intruders who will “sweep” (scan) an entire network range, looking for vunerable services.
If your production servers are running the DNS service, so should your honey pot, an intruder scanning for the latest DNS servcice vulnerability will hone (break up) right in. however, if the intruder focuses only on your production systems, he or she will avoid the honey pot, rendering it useless.
Any existing system can also be “honeypotized”, for example, on winNT, it is possible to rename the default “administrator” account, then create a dummy account called “admininstrator” with no password. winNT allows extensive logging of a person’s activities, so this honey pot will track users attempting to gain administrator access and exploit that access.
