Honeypots & Honeynets

Tech Talk
June’13

Rasool Kareem Irfan | @rasoolirfan

Agenda
1. Preface

2. Value of Honeypot – What & Why

3. Benefits of deploying Honeypot

4. Types – Advantages & Disadvantages

5. Honeynets
• Concept
• Threat and Trends
• Architecture

6. Cyber Security Market

7. Questions

2
Preface
The Problem

 Hacker/ Intruder/ Attacker

 The security state of internet is
poor
 Anyone is the target..!
 Tools getting better
 Why do they attack?

3
 Lionel Giles once said:
“Everybody can see superficially how a
battle is won; what they cannot see are the long series of
plans and combinations which have preceded the battle”
Evidence
Value of Honeypot
What is Honeypot

• Abstract definition: • Concrete definition:

• “A honeypot is an
information system resource
whose value lies in unauthorized
or illicit use of that resource.”
(Lance Spitzner)
• “A honeypot is a fictitious
vulnerable IT system used for the
purpose of being attacked,
probed, exploited and
compromised.”

Their Value

• Primary value of honeypots is to collect information.

• This information is then used to better identify, understand and protect against threats.
• Honeypots add little direct value to protect your network

6
Value of Honeypot
Why Honeypot

• A great deal of the security profession (and the IT world)

depend honeypots, however few know it. Honeypots …

• • Build anti-virus signatures.

• • Intelligence gathering (Symantec / Arbor)
• • Build SPAM signatures and filters.
• • Build RBL’s (Real-time Blackhole List) for malicious websites.
• • ISP’s identify compromised systems.
• • Assist law-enforcement to track criminals.
• • Hunt and shutdown botnets.
• • Malware collection and analysis.

7
Benefits of deploying honeypot
Types
Advantages & Disadvantages
• Low Interaction Honeypot
• Low-interaction honeypots are typically the
easiest honeypots to install, configure, deploy
and maintain. They partially emulate a service
(e.g. Unix telnet server or Microsoft’s IIS) or
operating system and limit the attacker’s
activities to the level of emulation provided by
the software.
• Advantages
• Logging and analyzing is simple
• only transactional information are available, no
information about the attacks themselves, e.g.
time and date of an attack, protocol, source and
destination IP as well as port)
• Disadvantages
• Very limited logging abilities
• Can only capture known attacks
• Easily detectable by a skilled attacker
9
High Interaction Honeypot
Provide an attacker with a real operating system
where nothing is emulated or restricted.
Ideally you are rewarded with a vast amount of
information about attackers, their motivation,
actions, tools, behaviour, level of knowledge,
origin, identity etc.
Advantages
Learn as much as possible about the attacker,
the attack itself and especially the methodology
as well as tools used.
Disadvantages
Building, configuring, deploying and maintaining
a high-interaction honeypot is very time
consuming as it involves a variety of different
technologies (e.g. IDS, firewall etc.) that has to
be customized.
Honeypot Tools
BackOfficer Friendly:

A free win32 based honeypot solution by NFR Security (a separate Unix port is available but has
restricted functionality). It is able to emulate single services such as telnet, ftp, smtp and to rudimentary
log connection attempts
NFR® BackOfficer Friendly is a useful little burglar alarm - simple, unobtrusive, and easy to install - which
rings when someone rattles your doorknob. It identifies attacks from Back Orifice, one of the nastier
hacking applications, as well as other sorts of scans. NFR is currently offering BackOfficer Friendly as a
FREE download for personal use only

10
Honeypot Tools
SPECTER

SPECTER is a smart honeypot-based intrusion detection system. It simulates a vulnerable computer,

providing an interesting target to lure hackers away from the production machines. SPECTER offers
common Internet services such as SMTP, FTP, POP3, HTTP and TELNET which appear perfectly normal to
the attackers but in fact are traps for them to mess around and leave traces without even knowing that
they are connected to a decoy system, which does none of the things it appears to do, but instead logs
everything and notifies the appropriate people.

11
Honeypots Solutions
So you want to build your own honeypot

http://www.tracking-hackers.com/solutions/

12
Honeynets
non-profit, research organization improving the security of the Internet at no cost.

• Concept of honeynet • Threats

project • Hundreds of scans a day.
• High-interaction honeypot • Fastest time honeypot manually
designed to capture in- compromised, 15 minutes
(worm, under 60 seconds).
depth information.
• Life expectancies: vulnerable
• Information has different Win32 system is under three
value to different hours, vulnerable Linux system is
organizations. three months.
• Primarily cyber-crime, focus on
• Its an architecture you Win32 systems and their users.
populate with live systems,
not a product or software. • Attackers can control thousands
of systems (Botnets).
• Any traffic entering or
leaving is suspect

13
Honeynet
Architecture

2. Data Control

1. Data Capture

3. Data Analysis

14
Do this knowledge need for me
What’s happening?

Boundless Informant: US gov't collects 100 billion surveillance records a month

15
Cyber-Security Market
Growing at a CAGR of 11.3% and to Reach $120.1 Billion by 2017

• Identity & Access Management,

• Risk & Compliance Management,
• Data Encryption,
• Data Leakage Prevention Solution,
• Data Recovery Solutions,
• UTM, Anti-Virus, IPS/IDS, Web Filtering,
• Fire-Wall, Vulnerability Management
• DDoS Protection

The most dramatic cyber attack in recent times was that of STUXNET. In 2010, STUXNET, the first malware able
to take control of low-level industrial devices, i.e., a centrifuge of nuclear power plants was spread. This fact
made everybody reflect on the fact that cyber-security was not anymore a matter of securing servers and
software, company data and continuity, but a matter of citizen safety.

Reference - http://www.prweb.com/releases/cyber-security/market/prweb10700570.htm