SlideShare a Scribd company logo

Honeypot

Sushan Sharma
Sushan Sharma

Honeypots are information systems that are intended to be attacked to gather threat intelligence. They can be low-interaction systems that emulate services or high-interaction systems with real operating systems. Honeypots provide benefits like attack analysis, evidence collection, and risk mitigation by luring attackers away from real systems. While they offer insights, honeypots also have disadvantages like only monitoring a limited view and carrying legal and security risks if misused.

Related slideshows

Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynet
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypot
 
1 of 20
1
What Is a Honeypot?  Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.”  Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.” 2
3
Basic Honeypot design 4 4
Technalities  Research-  Learning the tools and methods Black-hats use, help IT security experts protect systems from future attacks.  Protection-  May lure attackers away from the real production systems.  Detection-  there shouldn’t be any network traffic on a honeypot. All network traffic is considered  hostile.  Evidence-  once an attacker is identified, all evidence can be used legally. 5
Benefit of Deploying Honeypots  Attack analysis:  Find out reasons, and strategies why and how you are attacked.  Binary and behavior analysis of capture malicious code  Evidence:  Once the attacker is identified, all data captured may be used in a legal procedure.  Increased knowledge 6
Benefit of Deploying Honeypots  Risk mitigation:  Lure an attacker away from the real production systems (“easy target“).  IDS-like functionality:  Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. 7
Categories of Honeypots.... Production honeypots: •Easy to deploy and maintain •Inexpensive •Captures limited information •Used primarily by companies or corporations Research honeypots: •Very complex to deploy and maintain •Expensive •Captures extensive information -methods -keystrokes -tools -conversations •Used primarily by research, military, and government organizations 8
Characteristics of a Honeypot... •Decoy system- poses as a legit system offering services over the internet. •Security Vulnerabilities- exposes security vulnerabilities to attract an attacker. •Closely monitored- Closely monitored by an expert to study the methods of how black-hats, probe, exploit, and compromise systems. •Deceptive- Looks and behaves just as any normal system would. •Well Designed- A well designed honeypot means the black-hat never knew he was being watched. 9
Classifications..... Low-interaction honeypot: •Only part of applications and OS are emulated by software •No “real” interaction •Easy to deploy and maintain •Limited logging •Can be easily detected by skilled hackers High-interaction honeypot: •Full access to OS •Captures substantial amount of information (actions, tools, behavior, origin, identity, etc.) •Extremely complex, time consuming, expensive •Very high level of risk 10
Low Interaction Honeypot.. -Emulates certain services, applications -Identify hostile IP -Protect internet side of network -Low risk and easy to deploy/ maintain, but capture limited information. 11
High Interaction Honeypot... -Real services, applications, and OS’s -Capture extensive information but high risk and time intensive to maintain -Internal network protection 12
Comparison..... Low-interaction High-interaction Solution emulates operating No emulation, real operating systems services. systems and services are provided. Easy to install and deploy. Usually Can be complex to install or requires simply installing and deploy (commercial versions tend configuring software on a to be much simpler). computer. Minimal risk, as the emulated Increased risk, as attackers are services control what attackers provided real operating systems can and cannot do. to interact with Captures limited amounts of Can capture far more information, mainly transactional information, including new tools, data and some limited interaction. communications, or attacker keystrokes. 13
14
15
16
Advantages..... Small data sets of high value- Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. New tools and tactics- Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before Minimal resources- Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network Encryption or IPv6- Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Information- Honeypots can collect in-depth information that few, if any other technologies can match. Simplicity- Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update Protection- Honeypot can help protect an organization is in response. Attack prevention- One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. This is excellent for slowing down or preventing the spread of a worm that has penetrated your in pc 17
Disadvantages.... •Limited view- Only captures activity from that system and not other systems on the network. •High risk- Could be used as has a jump off to attack other systems. •Labor / Skill intensive- Requires a lot of time to deploy, maintain, and analyze. •Legal issues- If you used to attack another system it could put an entire company or organization in jeopardy. 18
Conclusion!!!! 19
20

More Related Content

Honeypot

  • 1. 1
  • 2. What Is a Honeypot?  Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.”  Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.” 2
  • 3. 3
  • 5. Technalities  Research-  Learning the tools and methods Black-hats use, help IT security experts protect systems from future attacks.  Protection-  May lure attackers away from the real production systems.  Detection-  there shouldn’t be any network traffic on a honeypot. All network traffic is considered  hostile.  Evidence-  once an attacker is identified, all evidence can be used legally. 5
  • 6. Benefit of Deploying Honeypots  Attack analysis:  Find out reasons, and strategies why and how you are attacked.  Binary and behavior analysis of capture malicious code  Evidence:  Once the attacker is identified, all data captured may be used in a legal procedure.  Increased knowledge 6
  • 7. Benefit of Deploying Honeypots  Risk mitigation:  Lure an attacker away from the real production systems (“easy target“).  IDS-like functionality:  Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. 7
  • 8. Categories of Honeypots.... Production honeypots: •Easy to deploy and maintain •Inexpensive •Captures limited information •Used primarily by companies or corporations Research honeypots: •Very complex to deploy and maintain •Expensive •Captures extensive information -methods -keystrokes -tools -conversations •Used primarily by research, military, and government organizations 8
  • 9. Characteristics of a Honeypot... •Decoy system- poses as a legit system offering services over the internet. •Security Vulnerabilities- exposes security vulnerabilities to attract an attacker. •Closely monitored- Closely monitored by an expert to study the methods of how black-hats, probe, exploit, and compromise systems. •Deceptive- Looks and behaves just as any normal system would. •Well Designed- A well designed honeypot means the black-hat never knew he was being watched. 9
  • 10. Classifications..... Low-interaction honeypot: •Only part of applications and OS are emulated by software •No “real” interaction •Easy to deploy and maintain •Limited logging •Can be easily detected by skilled hackers High-interaction honeypot: •Full access to OS •Captures substantial amount of information (actions, tools, behavior, origin, identity, etc.) •Extremely complex, time consuming, expensive •Very high level of risk 10
  • 11. Low Interaction Honeypot.. -Emulates certain services, applications -Identify hostile IP -Protect internet side of network -Low risk and easy to deploy/ maintain, but capture limited information. 11
  • 12. High Interaction Honeypot... -Real services, applications, and OS’s -Capture extensive information but high risk and time intensive to maintain -Internal network protection 12
  • 13. Comparison..... Low-interaction High-interaction Solution emulates operating No emulation, real operating systems services. systems and services are provided. Easy to install and deploy. Usually Can be complex to install or requires simply installing and deploy (commercial versions tend configuring software on a to be much simpler). computer. Minimal risk, as the emulated Increased risk, as attackers are services control what attackers provided real operating systems can and cannot do. to interact with Captures limited amounts of Can capture far more information, mainly transactional information, including new tools, data and some limited interaction. communications, or attacker keystrokes. 13
  • 14. 14
  • 15. 15
  • 16. 16
  • 17. Advantages..... Small data sets of high value- Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. New tools and tactics- Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before Minimal resources- Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network Encryption or IPv6- Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Information- Honeypots can collect in-depth information that few, if any other technologies can match. Simplicity- Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update Protection- Honeypot can help protect an organization is in response. Attack prevention- One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. This is excellent for slowing down or preventing the spread of a worm that has penetrated your in pc 17
  • 18. Disadvantages.... •Limited view- Only captures activity from that system and not other systems on the network. •High risk- Could be used as has a jump off to attack other systems. •Labor / Skill intensive- Requires a lot of time to deploy, maintain, and analyze. •Legal issues- If you used to attack another system it could put an entire company or organization in jeopardy. 18
  • 20. 20