2. What Is a Honeypot?
Abstract definition:
“A honeypot is an information
system resource whose value lies in
unauthorized or illicit use of that
resource.”
Concrete definition:
“A honeypot is a faked vulnerable
system used for the purpose of
being attacked, probed, exploited
and compromised.”
2
5. Technalities
Research-
Learning the tools and methods Black-hats use, help IT
security experts protect systems from future attacks.
Protection-
May lure attackers away from the real production
systems.
Detection-
there shouldn’t be any network traffic on a honeypot. All
network traffic is considered
hostile.
Evidence-
once an attacker is identified, all evidence can be used
legally.
5
6. Benefit of Deploying Honeypots
Attack analysis:
Find out reasons, and strategies why and how you are
attacked.
Binary and behavior analysis of capture malicious code
Evidence:
Once the attacker is identified, all data captured may be
used in a legal procedure.
Increased knowledge
6
7. Benefit of Deploying Honeypots
Risk mitigation:
Lure an attacker away from the real production systems
(“easy target“).
IDS-like functionality:
Since no legitimate traffic should take place to or from
the honeypot, any traffic appearing is evil and can
initiate further actions.
7
8. Categories of Honeypots....
Production honeypots:
•Easy to deploy and maintain
•Inexpensive
•Captures limited information
•Used primarily by companies or corporations
Research honeypots:
•Very complex to deploy and maintain
•Expensive
•Captures extensive information
-methods
-keystrokes
-tools
-conversations
•Used primarily by research, military, and government
organizations
8
9. Characteristics of a
Honeypot...
•Decoy system-
poses as a legit system offering services over the
internet.
•Security Vulnerabilities-
exposes security vulnerabilities to attract an attacker.
•Closely monitored-
Closely monitored by an expert to study the methods of
how black-hats, probe, exploit, and compromise systems.
•Deceptive-
Looks and behaves just as any normal system would.
•Well Designed-
A well designed honeypot means the black-hat never
knew he was being watched.
9
10. Classifications.....
Low-interaction honeypot:
•Only part of applications and OS are emulated by
software
•No “real” interaction
•Easy to deploy and maintain
•Limited logging
•Can be easily detected by skilled hackers
High-interaction honeypot:
•Full access to OS
•Captures substantial amount of information (actions,
tools, behavior, origin, identity, etc.)
•Extremely complex, time consuming, expensive
•Very high level of risk
10
11. Low Interaction Honeypot..
-Emulates certain services,
applications
-Identify hostile IP
-Protect internet side of
network
-Low risk and easy to deploy/
maintain, but capture limited
information.
11
12. High Interaction Honeypot...
-Real services, applications,
and OS’s
-Capture extensive
information but high risk and
time intensive to maintain
-Internal network protection
12
13. Comparison.....
Low-interaction High-interaction
Solution emulates operating No emulation, real operating
systems services. systems and services are
provided.
Easy to install and deploy. Usually Can be complex to install or
requires simply installing and deploy (commercial versions tend
configuring software on a to be much simpler).
computer.
Minimal risk, as the emulated Increased risk, as attackers are
services control what attackers provided real operating systems
can and cannot do. to interact with
Captures limited amounts of Can capture far more
information, mainly transactional information, including new tools,
data and some limited interaction. communications, or attacker
keystrokes.
13
17. Advantages.....
Small data sets of high value-
Honeypots collect small amounts of information. Instead of logging a one GB of data
a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they
can generate only 10 alerts a day.
New tools and tactics-
Honeypots are designed to capture anything thrown at them, including tools or
tactics never seen before
Minimal resources-
Honeypots require minimal resources, they only capture bad activity. This means an
old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off
an OC-12 network
Encryption or IPv6-
Unlike most security technologies (such as IDS systems) honeypots work fine in
encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot,
the honeypot will detect and capture it.
Information-
Honeypots can collect in-depth information that few, if any other technologies can
match.
Simplicity-
Finally, honeypots are conceptually very simple. There are no fancy algorithms to
develop, state tables to maintain, or signatures to update
Protection-
Honeypot can help protect an organization is in response.
Attack prevention-
One way that honeypots can help defend against such attacks is slowing their
scanning down, potentially even stopping them. This is excellent for slowing down or preventing
the spread of a worm that has penetrated your in pc
17
18. Disadvantages....
•Limited view-
Only captures activity from that system and not other
systems on the network.
•High risk-
Could be used as has a jump off to attack other
systems.
•Labor / Skill intensive-
Requires a lot of time to deploy, maintain, and analyze.
•Legal issues-
If you used to attack another system it could put an
entire company or organization
in jeopardy.
18