Edgis Sharing Session – Introduction to Honeypots
at Whitehat Society, Singapore Management University
September 2012
at Computing Society, Royal Holloway, University of London
February 2013
2. The Honeynet Project.
The Honeynet Project is a leading international 501c3 non-profit
security research organisation, dedicated to investigating the latest
attacks and developing open source security tools to improve
Internet security.
Founded in 1999,The Honeynet Project has contributed to fight
against malware and malicious hacking attacks and has the leading
security professional among members and alumni.
Website: http://www.honeynet.org/ http://www.honeynet.sg
3. Agenda.
What is honeypot.
What types of honeypot are there.
Introduction to honeypot tools.
How to deploy them.
Deployment considerations.
Operational considerations.
Governance considerations.
Legal considerations.
4. What is honeypot.
Information system resources which has no production
values.
It values lies in unauthorised or illicit use of that resource.
It values lies in being probed, attacked, or compromised.
-- Spitzner
Intelligence gathering
Analyse trends / behaviours; Know your enemy.
Decoy / Bait
5. Types of honeypot.
High interaction:
An actual machine.
Rich content; Fully emulated shells; Fully replicated services.
Low interaction:
A program.
Emulate specific services; limited interactivities.
Honeytoken
Hybrid
6. Honeypot tools.
High interaction:
De facto security tools (NIDS, HIDS, etc)
In-depth Data Capture tools (Sebek, Qebek, Capture-HPC).
EgressTraffic Control (Snort Inline, iptables)
Perimeter – Honeywall (Roo)
WebApplication – Glastopf
SSL Proxy &Traffic Analyser – HoneyProxy
USB Malware – Ghost USB
Low interactions:
De facto low interaction – Honeyd
Common ports –Tiny Honeypot
Malware – Dionaea (… Honeytrap?)
WebApplication – Glastopf
USB Malware – Ghost USB
SSH – Kippo, Kojoney
Blacklisting – Honeyports
10. Tiny Honeypot.
Written by George Bakos
Alpinista.org
Low interaction honeypot.
Based on iptables and xinetd listener.
Emulate well-known services:
HTTP
FTP
12. Deployment & Considerations.
More Considerations
Roles and Responsibilities
Deployment Considerations
High or low interaction What do you want from your honeypots?
Honeypot tools What do you want from your honeypots?
Placed in internal or external networks What do you want from your honeypots?
Configuration of your honeypots.
Physical or virtual environment Costs & Maintenance
Dynamics / Programmability Nature of the dynamics
Level of vulnerability What do you want from your honeypots?
Legal considerations