1.1 Background 1.3 Honeypot Basics Deception Techniques, Methods
6
Deception Techniques, Methods, Honeypots, Honeynets and Usage CMPT 495 Ilker Tanli Turgut Kolcalar OUTLINE 1. Introduction 1.1 Background 1.2 Relation to Information Security 1.3 Honeypot Basics 2. Deceptive Networks, Honeypots and Honeynets 2.1 Honeypot/Deception Objectives 2.2 Honeypot/Deception Design Goals 2.3 Honeypot/Deception Deployment 2.4 Sample Honeypot Deployment 3. Conclusion and Future Work PART I Introduction 1.1 Background 1.2 Relation to Information Security 1.3 Honeypot Basics 1.1 Background Deception is an important tool and technique for success when efficiently used in all kinds of warfare. It is the art of making the enemy believe in what we want to believe. Deception can be seen used even by animals like octopus that change colors to look like a rock when scared. It wasn’t until early 1990s when deception was thought to be used in IT for defensive purposes.
Transcript of 1.1 Background 1.3 Honeypot Basics Deception Techniques, Methods
Deception Techniques, Methods, Honeypots, Honeynets and Usage
CMPT 495Ilker Tanli
Turgut Kolcalar
OUTLINE
1. Introduction
1.1 Background1.2 Relation to Information Security1.3 Honeypot Basics
2. Deceptive Networks, Honeypots and Honeynets
2.1 Honeypot/Deception Objectives2.2 Honeypot/Deception Design Goals2.3 Honeypot/Deception Deployment2.4 Sample Honeypot Deployment
3. Conclusion and Future Work
PART I
� Introduction
1.1 Background1.2 Relation to Information Security1.3 Honeypot Basics
1.1 Background
� Deception is an important tool and technique for success when efficiently used in all kinds of warfare.
� It is the art of making the enemy believe in what we want to believe.
� Deception can be seen used even by animals like octopus that change colors to look like a rock when scared.
� It wasn’t until early 1990s when deception was thought to be used in IT for defensive purposes.
1.1 Background
� Example of these types of defense are:
� Noise Injection� False Information Feeding � Spread Spectrums Traps � Steganography
1.2 Relation to Information Security
� Honeynets are networks consisting of honeypots. Honeypots are eventually monitored resources of which its value lies in being attacked, compromised or probed, that rely on deception heavily.
� In any kind of warfare, having the most information about the enemy or attacker increases the chance of being successful.
� This tends to give the defender an early warning of new attacks.
1.2 Relation to Information Security
� Deception has several other advantages:
�It increases the attackers workload because the attacker cannot tell which of the attack attempts work and which fail.
�It exhausts attacker resources, increases the sophistication for an attack.
1.3 Honeypot Basics
� There are two types of honeypots, research and production. Research honeypots require a lot of work, but in return keystrokes, tools, conversations, and methods can be learned.
� On the other hand production honeypotsare more similar to IDS’s where they identify hostile activity, generate alerts and capture minimum amount of data.
PART II
2. Deceptive Networks, Honeypots and Honeynets
2.1 Honeypot/Deception Objectives2.2 Honeypot/Deception Design Goals2.3 Honeypot/Deception Deployment2.4 Sample Honeypot Deployment
2.1 Honeypot/Deception Objectives
� Honeypots collect little data of high value. � All traffic that leaves and enters the
honeypot is suspect by nature and should be analyzed.
� The honeypot systems should appear as generic as possible.
� One detail that needs to be looked into is to make sure that the attacker should not be able to use the honeypot as a lunch point for further attacks.
2.2 Honeypot/Deception Design Goals
� We have to make sure that the likelihood of any individual intelligence probe encountering a real vulnerability low. Increasing the total size of the space to be searched by the attacker, and making the vulnerabilities small in that space can do this.
� Time to defeat a deception should be as high as possible, which requires the deceptions are realistic and defeating a deception does not reveal any additional paths.
2.3 Honeypot/Deception Deployment
� There are several ways to set up a honeypot. It can be set in front of a firewall, in the DMZ or behind a firewall.
� It is best to deploy the honeypot closer to the server, as it is more tempting for the attacker.
� Another way to deploy a honeypot would be to place it in between servers, but this method is not very effective. It would only prove use mostly against sweep scans.
2.4 Sample Honeynet Deployment
� We will now try to deploy a sample honeynet. For this we will use a Linux box, a daemon called Honeyd, and Arpd.
� Honeyd is a daemon that works under UNIX systems that creates virtual hosts on the network.
� Virtual networks require less hardware and thus cost much less. A single host can maintain up to 65535 hosts.
� All hosts can be individually configured for requested services to show as running.
2.4 Sample Honeynet Deployment
� We will also use Arpd, which is a daemon that listens to ARP requests and answers for IP addresses that are unallocated.
� Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots.
� After installing both daemons on a valid Linux machine (IP 155.246.23.69), we run Arpd to force unused IP’s to resolve to the MAC that the daemon is on.
2.4 Sample Honeynet Deployment
� Using the configuration file for Honeyd three virtual machines are created (237,238 and 239), of which seem to have different operating systems of which were configured as AmigaOS, DEC OpenVMS and MS NT 4.0 respectively. (Machines are referred with their last octets.)
� After set up, fingerprinting and scans were run from a MS Windows 2000 operating system.
Sample Honeyd Configuration File
� Sample Configureation File Used For Honeyd
[root@twister Honeyd]# more config# Amiga Boxcreate amigaboxset amigabox personality "AmigaOS Miami 3.0"add amigabox tcp port 80 "sh scripts/web.sh"add amigabox tcp port 23 proxy155.246.23.238:23set amigabox default tcp action resetbind 155.246.23.237 amigabox
Scan Results for 155.246.23.237
Figure 1
Scan Results for 155.246.23.238
Figure 2
Scan Results for 155.246.23.239
Figure 3
PART III
3. Conclusion and Future Work
3. Conclusion and Future Work
� It can be seen that honeypots that are configured correctly can increase our chances to secure our production servers, as well as maintain information about the black hat community.
� Once again, the deceptive network whether virtual or not should try to reflect a real network in all aspects.
� Building extensive virtual honeynets are not as easy as they seem, and require extensive planning and deployment.
3. Conclusion and Future Work
� Since all traffic through the honeypot is considered suspicious, activity should be logged and viewed.
� Legal concerns should also be addressed. Information obtained through honeypots might or might not be able to be used in court, due to other laws.
� This is why honeypots and honeynets should not be advertised. Legal perspective of the issue should be discussed and clarified.
