Professional Documents
Culture Documents
Honeypots & Honeynets: Tech Talk
Honeypots & Honeynets: Tech Talk
Tech Talk
June’13
5. Honeynets
• Concept
• Threat and Trends
• Architecture
7. Questions
2
Preface
The Problem
3
Lionel Giles once said:
“Everybody can see superficially how a
battle is won; what they cannot see are the long series of
plans and combinations which have preceded the battle”
Evidence
Value of Honeypot
What is Honeypot
Their Value
6
Value of Honeypot
Why Honeypot
7
Benefits of deploying honeypot
Types
Advantages & Disadvantages
• Low Interaction Honeypot High Interaction Honeypot
• Low-interaction honeypots are typically the Provide an attacker with a real operating system
easiest honeypots to install, configure, deploy where nothing is emulated or restricted.
and maintain. They partially emulate a service
(e.g. Unix telnet server or Microsoft’s IIS) or Ideally you are rewarded with a vast amount of
operating system and limit the attacker’s information about attackers, their motivation,
activities to the level of emulation provided by
the software. actions, tools, behaviour, level of knowledge,
• Advantages origin, identity etc.
• Logging and analyzing is simple Advantages
Learn as much as possible about the attacker,
• only transactional information are available, no
information about the attacks themselves, e.g. the attack itself and especially the methodology
time and date of an attack, protocol, source and as well as tools used.
destination IP as well as port)
Disadvantages
• Disadvantages
Building, configuring, deploying and maintaining
• Very limited logging abilities a high-interaction honeypot is very time
• Can only capture known attacks consuming as it involves a variety of different
technologies (e.g. IDS, firewall etc.) that has to
• Easily detectable by a skilled attacker
be customized.
9
Honeypot Tools
BackOfficer Friendly:
A free win32 based honeypot solution by NFR Security (a separate Unix port is available but has
restricted functionality). It is able to emulate single services such as telnet, ftp, smtp and to rudimentary
log connection attempts
NFR® BackOfficer Friendly is a useful little burglar alarm - simple, unobtrusive, and easy to install - which
rings when someone rattles your doorknob. It identifies attacks from Back Orifice, one of the nastier
hacking applications, as well as other sorts of scans. NFR is currently offering BackOfficer Friendly as a
FREE download for personal use only
10
Honeypot Tools
SPECTER
11
Honeypots Solutions
So you want to build your own honeypot
http://www.tracking-hackers.com/solutions/
12
Honeynets
non-profit, research organization improving the security of the Internet at no cost.
13
Honeynet
Architecture
2. Data Control
1. Data Capture
3. Data Analysis
14
Do this knowledge need for me
What’s happening?
15
Cyber-Security Market
Growing at a CAGR of 11.3% and to Reach $120.1 Billion by 2017
The most dramatic cyber attack in recent times was that of STUXNET. In 2010, STUXNET, the first malware able
to take control of low-level industrial devices, i.e., a centrifuge of nuclear power plants was spread. This fact
made everybody reflect on the fact that cyber-security was not anymore a matter of securing servers and
software, company data and continuity, but a matter of citizen safety.
Reference - http://www.prweb.com/releases/cyber-security/market/prweb10700570.htm