http project honeynet orgmiscproject html Use of Honeypots

  • Slides: 18
Download presentation
http: //project. honeynet. org/misc/project. html Use of Honey-pots to Detect Exploited Systems Across Large

http: //project. honeynet. org/misc/project. html Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Overview • Motivation • What are Honeypots? – Gen I and Gen II •

Overview • Motivation • What are Honeypots? – Gen I and Gen II • The Georgia. Tech Honeynet System – Hardware/Software – IDS – Logging and review • Some detected Exploitations – Worm exploits – Sage of the Warez Exploit • Words of Wisdom • Conclusions

Why Honeynets ? An additional layer of security

Why Honeynets ? An additional layer of security

Security: A serious Problem Firewall IDS A Traffic Cop Detection and Alert Problems: Internal

Security: A serious Problem Firewall IDS A Traffic Cop Detection and Alert Problems: Internal Threats False Positives Virus Laden Programs False Negatives

The Security Problem Firewall IDS Honey. Nets An additional layer of security

The Security Problem Firewall IDS Honey. Nets An additional layer of security

• • Captures all inbound/outbound data Standard production systems Intended to be compromised

• • Captures all inbound/outbound data Standard production systems Intended to be compromised Data Capture – Stealth capturing – Storage location – away from the honeynet • Data control – Protect the network from honeynets

Two types Gen II Good for simpler attacks Unsophisticated targets Sophisticated Data Control :

Two types Gen II Good for simpler attacks Unsophisticated targets Sophisticated Data Control : Stealth Fire-walling Limited Data Control Gen I chosen

GATech Honeynet System Huge network 4 TB data processing/day CONFIG Sub-standard systems Open Source

GATech Honeynet System Huge network 4 TB data processing/day CONFIG Sub-standard systems Open Source Software Simple Firewall Data Control

IDS Invisible SNORT Monitor Promiscuous mode Two SNORT Sessions Session 1 Signature Analysis Monitoring

IDS Invisible SNORT Monitor Promiscuous mode Two SNORT Sessions Session 1 Signature Analysis Monitoring Session 2 Packet Capture DATA CAPTURE

Data Analysis SNORT DATA CAPTURE Requires human resources All packet logs stored One hour

Data Analysis SNORT DATA CAPTURE Requires human resources All packet logs stored One hour daily ! Ethereal used Forensic Analysis

Detected Exploitations 16 compromises detected Worm attacks Hacker Attacks

Detected Exploitations 16 compromises detected Worm attacks Hacker Attacks

DETECTING WORM EXPLOITS Honey Net traffic is Suspicious Heuristic for worm detection: Frequent port

DETECTING WORM EXPLOITS Honey Net traffic is Suspicious Heuristic for worm detection: Frequent port scans Specific OS-vulnerability monitoring possible Captured traffic helps signature development

SAGA of the WAREZ Hacker Helped locate a compromised host Honeynet Very difficult to

SAGA of the WAREZ Hacker Helped locate a compromised host Honeynet Very difficult to detect otherwise ! IIS Exploit Warez Server + Backdoor

Words of Wisdom • • • Start small Good relationships help Focus on Internal

Words of Wisdom • • • Start small Good relationships help Focus on Internal attacks Don’t advertise Be prepared to spend time

Conclusion • Helped locate compromised systems • Can boost IDS research – Data capture

Conclusion • Helped locate compromised systems • Can boost IDS research – Data capture • Distributed Honey nets ?

Discussion • The usefulness of the extra layer ? • Dynamic Honey. Nets •

Discussion • The usefulness of the extra layer ? • Dynamic Honey. Nets • Comparison with IDS: are these a replacement or complementary ? HONEY NET IDS

Honeypots Building Honeypots Commercial honeypotsemulating services Specter HoneyedHoneypots Building Honeypots Commercial honeypotsemulating services Specter Honeyed
FIREWALL AND INTRUSION DETECTION SYSTEM Honeypots Honeypots HoneypotFIREWALL AND INTRUSION DETECTION SYSTEM Honeypots Honeypots Honeypot
2 2 HTML html HTML 5 html html2 2 HTML html HTML 5 html html
HTML HTML Tutorial HTML Basic HTML Advanced HTMLHTML HTML Tutorial HTML Basic HTML Advanced HTML
HTML 5 HTML 5 DOCTYPE HTML html headHTML 5 HTML 5 DOCTYPE HTML html head
HTML 5 HTML 5 HTML 5 HTML 5HTML 5 HTML 5 HTML 5 HTML 5
HTML Tim BernersLeeCERNHTML HTML 11232020 HTML 1993 HTMLHTML Tim BernersLeeCERNHTML HTML 11232020 HTML 1993 HTML
HTML HTML Hypertext Markup Language HTML HTML indexHTML HTML Hypertext Markup Language HTML HTML index
HTML HTML Hypertext Markup Language HTML HTML indexHTML HTML Hypertext Markup Language HTML HTML index
HTML 5 HTML 5 DOCTYPE HTML html headHTML 5 HTML 5 DOCTYPE HTML html head
02 Section HTML HTML HTML html head titletitle02 Section HTML HTML HTML html head titletitle
HTML 5 HTML 5canvas HTML 5audio HTML 5vedioHTML 5 HTML 5canvas HTML 5audio HTML 5vedio
HTML 5 HTML CSS HTML 5 HTML 5HTML 5 HTML CSS HTML 5 HTML 5
Honeynets and The Honeynet Project Speaker 2 PurposeHoneynets and The Honeynet Project Speaker 2 Purpose
The Honeynet Project Your Speakers The Team MembersThe Honeynet Project Your Speakers The Team Members
The Honeynet Project Trapping the Hackers Lance SpitznerThe Honeynet Project Trapping the Hackers Lance Spitzner
The Honeynet Project Trapping the Hackers Lance SpitznerThe Honeynet Project Trapping the Hackers Lance Spitzner