Honeypots are decoy systems used to gather threat intelligence. They allow monitoring of attacks to better understand tactics and improve defenses. There are different types, including low-interaction virtual honeypots for ease of use and high-interaction physical honeypots for more detailed data. Honeypots are placed in various network locations and can operate as production systems to detect threats or research systems to collect information. They provide security benefits but also have limitations like narrow views and fingerprinting risks.
2. ABSTRACT
Countermeasure to detect or prevent attacks
Know attack strategies
Gather information which is then used to better
identify, understand and protect against
threats.
Divert hackers from productive systems
4. THE PROBLEM
The Internet security is hard
New attacks every day
Our computers are static targets
What should we do?
The more you know about your enemy, the better you
can protect yourself
Fake target
6. Malicious code or malicious software is a
software program designed to
access a computer without the owners
consent or permission.
Problem(s) via computer
7. INTRODUCTION
A honeypot can be almost any type of server or
application that is meant as a tool to catch or trap an
attacker.
A honeypot is an internet attached server that acts as
decoy , luring in potential hackers in order to study
their activities and monitor how they are able to
break into a system.
8. History of Honeypots
1990/1991 The Cuckoo’s Egg and Evening with
Berferd
1997 - Deception Toolkit
1998 - CyberCop Sting
1998 - NetFacade (and Snort)
1998 - BackOfficer Friendly
1999 - Formation of the Honeynet Project
2001 - Worms captured
9. Continue…
The idea of honeypots began in 1991 with two
publications, “The Cuckoos Egg” and “An Evening with
Breferd ”.
“The Cuckoos Egg” by Clifford Stoll was about his
experience catching a computer hacker that was in his
corporation searching for secrets.
The other publication, “An Evening with Berferd” by Bill
Chewick is about a computer hacker’s moves through
traps that he and his colleagues used to catch him. In both
of these writings were the beginnings of what became
honeypots.
10. Continue…
The first type of honeypot was released in 1997
called the Deceptive Toolkit. The point of this kit was
to use deception to attack back.
In 1998 the first commercial honeypot came out. This
was called Cybercop Sting.
In the year, 2005, The Philippine Honeypot Project
was started to promote computer safety over in the
Philippines.
11. What is Honeypot?
In computer terminology, a honeypot is a trap set to
detect, deflect, or in some manner counteract
attempts at unauthorized use of information
systems.
Generally it consists of a computer, data, or a
network site that appears to be part of a network, but
is actually isolated and monitored, and which seems
to contain information or are source of value to
attackers.
12. LOCATION
In front of the firewall(Internet)
DMZ(demilitarized zone)
DMZ is to add an additional layer of security to
an organization's local area network (LAN).
Behind the firewall
14. Types of Honeypots
By level of interaction
High
Low
Pure
By Implementation
Virtual
Physical
By purpose
Production
Research
15. Level of Interaction
Low Interaction
Easy to deploy, minimal risk
Limited Information
Simulate services frequently requested by attackers
Honeyd
High Interaction
Highly expensive to maintain
Can be compromised completely, higher risk
More Information
Provide more security by being difficult to detect
Honeynet
16. Pure Honeypots
Pure honeypots are full-fledged production systems .
The activities of the attacker are monitored using a casual tap
that has been installed on the honeypot's link to the network.
No other software needs to be installed.
18. On Implementation basis
Two types
Physical
Real machines
Own IP Addresses
Often high-interactive
Virtual
Simulated by other machines that:
Respond to the traffic sent to the honeypots
May simulate a lot of (different) virtual honeypots at the
same time
19. How do HPs work?
Prevent
Detect
Response
No connection
Monitor
Attackers
Attack Data
HoneyPot A
Gateway
20. Basis of Deployment
Based on deployment, honeypots maybe classified
as:
1. Production honeypots
2. Research honeypots
21. Production HPs: Protect the systems
Prevention
Keeping the bad guys out
not effective prevention mechanisms.
Deception, Deterence , Decoys do NOT work against
automated attacks: worms, auto-rooters, mass-rooters
Detection
Detecting the burglar when he breaks in.
Great work
Response
Can easily be pulled offline
Little to no data pollution
22. Research HPs: gathering information
Collect compact amounts of high value information
Discover new Tools and Tactics
Understand Motives, Behavior, and Organization
Develop Analysis and Forensic Skills
Not add direct value to a specific organization
HONEYNET
23. Honeyd: A virtual honeypot application, which allows us
to create thousands of IP addresses with virtual machines
and corresponding network services.
24. What is a Honeynet
High-interaction honeypot designed to:
capture in-depth information
learn who would like to use your
system without your permission
for their own ends
Its an architecture, not a product or software.
Populate with live systems.
Can look like an actual production system
27. ADVANTAGES
Provides security to the systems.
Data Value : Honeypots can give you the precise information
you need in a quick and easy-to-understand format.
Resources : The honeypot only captures activities directed at
itself, so the system is not overwhelmed by the traffic.
It can be a relatively cheap computer.
Simplicity : There are no fancy algorithms to develop, no
signature databases to maintain, no rule bases to misconfigure.
28.
29. DISADVANTAGES
Narrow Field of View : They only see what activity is
directed against them.
Fingerprinting : Fingerprinting is when an attacker
can identify the true identity of a honeypot because
it has certain expected characteristics or behaviors.
Risk : By risk, we mean that a honeypot, once
attacked, can be used to attack, infiltrate, or harm
other systems or organizations.
30. CONCLUSION
Just the beginning for honeypots.
Honeypots are not a solution, they are a flexible tool
with different applications to security.
Primary value in detection and information
gathering.
Yet, honeypot technology is moving ahead
rapidly, and, in a year or two, honeypots will be
hard to ignore.
